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Introduction 


Welcome! 


This guide was developed to help people understand what is cryptography, how it works 
and why they should use it. It deals primarily with e-mail cryptography, but there are also 
sections covering offline usage for local files. 


Most people don't use cryptography simply because they don't know what it is, or they have 
erroneous ideas about it, such as being extremely complex, expensive and even outlawed. 
They are also not aware of the risks and dangers they face by not using it. 


On the other side, the largest IT companies and e-mail providers also do not provide ade- 
quate information on this issue and resist implementing cryptography in their systems be- 
cause it would increase their costs without giving them direct benefits. 


We believe that cryptography is essential and necessary to maintain privacy and security of 
digital communications, and the more people adopt this technology, the more it becomes 
an indispensable item which will come together with every service. 

This guide is destined to laypersons, so it is easy to understand and there is no need of prior 
advanced knowledge. You will learn how to install and configure all the necessary pro- 
grams to have cryptography working in your system, and by the end you will be able to 


communicate with other people with maximum privacy and security. 


We hope you enjoy it. Thanks for choosing this guide! 


Best regards, 


The Golden Keys Team 
https://goldencontest.wordpress.com 
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PART | 


BASIC CONCEPTS 


> What is Cryptography 

> Why use Cryptography 
> How Cryptography works 
> The Anatomy of a Key 

> What is GnuPG 
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CHAPTER 1 


What is cryptography? 


Cryptography is the process of encoding and decoding information, messages and files us- 
ing secret code with the purpose of offering privacy and security. This can be accomplished 
through machines, computer programs, or both. 


Cryptography is always used when there is a need to transmit information in a secure way 
between two parts, ensuring that only the sender and the receiver will be able to decipher 
its original content. Anyone who tries to intercept it without authorization will only see a 
bunch of symbols and codes that makes no sense, and will not be able to decipher it. 


Cryptography has existed for thousands of years, but for most part of its history it was con- 
sidered a military tool, being used almost exclusively by governments and armies due to its 
high cost and complexity. 


Things started to change with the emergence of personal computers and the internet. With 
the advent of those technologies, high level cryptography became affordable to the general 
public at the same time that the need for more secure systems was increasing. 


Today cryptography is essential for many areas in our society and it is employed in a variety 
of systems including personal computing, mobile phones, banking systems, magnetic cards, 
ATM machines, electronic commerce, data storage, wireless devices, etc. However few users 
are aware of cryptography's presence in our life, and even fewer know how to use it or how 
it works internally. 
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CHAPTER 2 


Why use cryptography? 


There are several reasons why you should always use cryptography on your personal and 
professional communications, they all come down to your privacy and security. Below we 
list 7 points so you can better understand the importance of this technology. 


E-mail is extremely insecure 


E-mail is one of the most insecure systems ever simply because it was not de- 
signed to be secure. Messages travel through many machines, networks and 
even countries, and they can be intercepted in many different ways by anyone 
who has access to them. By default their contents (text, images and attach- 
ments) are transmitted without any security at all. 


You are constantly being monitored 


E-mail providers (such as Hotmail, Gmail, Yahoo) store all your sent and re- 
ceived messages for indeterminate time — possibly forever — even after you have 
erased them from the trash bin or terminated your account. They do it for two 
reasons: to sell you more services and advertisements, and to collaborate with 
government surveillance programs. 


The registers of your e-mail communications may be — and often are — stored in 
machines located in countries different than yours, and once they are in an- 
other jurisdiction they are subjected to that nation's laws and there is virtually 
nothing you can do to claim the right to privacy you may have in your country. 
This may happen even if you haver never been in those countries. 


it can be used at home or in business 


Cryptography can be used at home or in business and it works with a wide vari- 
ety of devices such as personal computers, mobile phones, tablet computers, 
workstations, servers, complex network infrastructures and others. 


It can be used for personal communications with family and friends, to store 
sensitive information, to backup sensitive information, to encrypt the whole 
disk, to send and receive files, to provide a secure channel to access one's ma- 
chine, among other uses. 
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It increases your credibility 


When you offer a secure means for people to communicate with you it demon- 
strates how much you value and worry about their privacy and security. This is 
especially true in business where there is often a high volume of sensitive infor- 
mation being exchanged, but it also applies to personal relationships. 


You convince more people to use it 


To send and receive encrypted messages requires that others you communicate 
with also use cryptography, so if you start using it you will naturally tell other 
people about it. Given the advantages and benefits of using cryptography, many 
of them will eventually embrace it, and it is easier to start doing something 
when others they know are already doing. 


Another advantage is that it is possible to use cryptography and still communi- 
cate with people who don't use it. The communication will be unencrypted of 
course, but at least you don't have to limit yourself to only one group of people. 


It's free 


There are many types of cryptography systems for different needs with varying 
prices. The system we present to you in this book, GnuPG, is 100% free both in 
terms of price and in freedom to use it. You can set it up in any environment 
you want without having to pay for licenses, royalties, fees or require any type 
of authorization, and the program is powerful enough to be used in a single 
computer and in the infrastructure of a multinational corporation. 


Your privacy 


Last but not least, your e-mail communications are private and they should re- 
main private. It doesn't matter if you send a message telling about a new 
restaurant in the city, your credit card number with the password (yes, people 
do it), or a picture of yourself naked (yes, people do it A LOT), it is not of any- 
one else's business and it is up to you to ensure your privacy remains private. 
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CHAPTER 3 


How cryptography works? 


The basic idea is to shuffle the original information with the secret code, resulting in the 
encrypted information. The power, strength and security of encryption lies exactly in how 
these parts are shuffled. The diagram below illustrates this process: 


ORIGINAL SECRET 
INFORMATION CODE 


ENCRYPTED 
INFORMATION 


2K ok 2K OK 2K >K OK 2K OK ok KK 
Good Morning, ---BEGIN PGP--- 
I will travel to 
the beach and 
my house will 
be alone for sk ok ok ok 2k ok 2K 2k KOK 


OI OK 2s 2S oI ok 2 2s 2s oI ois 


MQENBFDwwf sBC9wL 
Dr1/u4x1RNUyiNgf 
1YJIcGVq2d0er76t 
p+tOmNF7VV5acFrp 
Y44L7JC0+Y6Zc2z0 
tvrm6d/akQ7fEf/k 
3ZvOILmulh6xwfk 


OI 2S OS 2S OI 2 ois os 28 OK 3s 


OK 2S Os 2S IS 2K oI 2s 2S OK 3S 


one week. ale ae ake 2 2k 2 2c ie ake ake 26 


OK 2S Os 2S OS 2 oI 2s 2S OK 3s 


YUU 


Have a nice day 
John. 


OI OK 2s 2s oI ok ok 2s 2s os ois 


2k 2k 2k 2k 2k 2k 2k 2k kK ---END PGP--- 


That's it, your message is now encrypted and ready to be sent. For the person be able to de- 
crypt it he will need to posses the secret code, which will be covered in the next section. 


Now let's see the two main types of encryption methods: symmetric and asymmetric. 
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3.1 Symmetric Cryptography 


Symmetric cryptography is the simplest of all and you probably have used it many times. 
The word symmetric means “equal”, which means that to encode and decode a file the 
password is the same. 


The most basic example is when you save a file with password. It doesn't matter if you save 
it for yourself or for others, the password to open it is always the same. 


Symmetric cryptography is faster, simpler and more economic than asymmetric cryptogra- 
phy because it does less mathematical calculations, which in turn uses less machine re- 
sources (e.g.: electricity). It is also more compatible with other systems and it is very se- 
cure. 


However its main problem lies not in strength, but in the transmission of the secret code. 
When you send an encrypted file to another person you also have to send the password so 
the person can open it, and symmetric cryptography does not provide any means to send 
the password in a secure way. 


You cannot send the encrypted file through e-mail and the password wrote in the message 
body because that is too obvious and risky. You could send the password by phone, SMS or 
letter, but these methods are also insecure and could be easily intercepted. You could de- 
liver the password personally, but this is very inconvenient and sometimes inviable. 


So how do you do it? As you see the major problem of symmetric cryptography is to trans- 
mit the password in a convenient and secure way. If the password is compromised, anyone 
can access the file and even modify it. 


Another disadvantage is that if you use a password, you automatically know it, and others 
could coerce you to reveal it, as in the customs, through a law order or under interrogation. 


It is because of these reasons that symmetric cryptography is recommended for local files 


that stay stored locally (such as backup copies) or files to be transfered through physical 
media. 
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3.2 Asymmetric or public key cryptography 


Asymmetric cryptography, also known as public key cryptography, was created to solve the 
problem of transmitting the secret code that symmetric cryptography poses. 


Simply speaking, in public key cryptography instead of using a single code equal for all, it is 
used a code with two parts: your part and the other person's part. This way only her will 
be able to decrypt the information you send to her. If someone intercept this information 
along the way he will not be able to do anything because he does not have the necessary 
part of the code. 


These “parts” are actually called keys, which are public and private. The example below il- 
lustrates this more easily: 


Let's imagine that John wants to send an encrypted file to Mary using public key cryptogra- 
phy. Here are the steps they have to follow to accomplish this: 


1 - Create a key pair 


First each one of them creates a key pair containing a private key (red) and a public key 
(yellow). This step is covered with details on chapter 6. 
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2 - Exchange public keys 


Each one of them sends a copy of their public key to the other, since the purpose of the 
public key is to give it to others. There are several ways to do it, the most common is to 
send it via e-mail (discussed in chapter 8.4), but it is also possible to publish the key in a 
key server, in a personal website, or deliver it through physical media (such as a CD-ROM). 


Page 14 of 140 https://goldencontest.wordpress.com 


GnuPG High Level Cryptography 


3 - Verify the received key 


©2014 Golden Keys 


Now each one of them possesses their own key pair and a copy of the other person's public 
key. They must verify the other's public key to confirm they received it correctly. This is the 
most important step because it ensures that the key they received was not twisted or modi- 


fied along the way. 


Verifying is a simple process: every key comes with a number (a digital fingerprint) and all 
they have to do is to check this number with the sender to ensure it is correct. 


VERIFY PUBLIC KEYS 


JOHN says: 

“T've checked this key's 
fingerprint with Mary and she 
confirmed the same number, so 
the key is correct.” 
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MARY says: 

“T've checked this key's 
fingerprint with John and he 
confirmed the same number, so 
the key is correct.” 
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4 -Encrypt a file and send it 


To encrypt a file to another person John just chooses the file he wants to send and the file 
will be encrypted exclusively to that person. 


ENCRYPTED 
INFORMATION 


ORIGINAL EACH ONE'S 
INFORMATION KEY 


+-BEGIN PGP--- 


Good Morning, 
I will travel to 
the beach and 
my house will 
be alone for 
one week. 


MQENBFDwwf sBC9wL 
Dr1/u4x1RNUyiNgf 
1YJIcGVq2d0er76t 
p+tOmNF7VV5acFrp 
Y44L73C0+Y6Zc2z0 
tvrm6d/akQ7 fEf/k 
3ZvOILmulh6xwfk 


---END PGP--- 


a2 


Have a nice day 
John. 


YUU Y 


The original message is combined with the sender's private key (John's) and the receiver's 
public key (Mary's), resulting in an encrypted file that only the receiver (Mary) can decrypt. 


Now the resulting file can be sent to Mary through any means (such as e-mail) because only 
her can decrypt it, because to do it she needs her private key and the sender's public key. 
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CHAPTER 4 
Anatomy of a key 


A key pair consists of a public key and a private key. The public key is the key that you dis - 
tribute to others, and the private key is the key that you keep with yourself. Keys are basi- 
cally a stream of text that contains all the necessary information that identify them. Here 
we provide text and graphical representations of keys. Keys are always stored in key rings. 


Keys can realize up to 4 different operations: 


¢ Sign and Verify (S) 

¢ Encrypt and Decrypt (E) 
* Certify (C) 

¢ Authenticate (A) 


In this book we cover the first two operations, which are discussed with more details in 
their respective chapters. 


The example below illustrates the basic information contained in a key pair. The private key 
is the red one, and the public key is the yellow one. 


4.1 - A key pair 


Here you can see a key pair containing a private key and a public key. 


4096R/FBOAFF3F _ 


2014-01-08 / 2015-01-08 
Joe Bloggs (This is Joe's key) 
joe.bloggs@example.com 

E44E 404D A2AE 8FF8 7913 
BC1F 1DAC 9405 FBOA FF3F 


Figure 1: Information contained in a key pair 
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4.2 - Parts of a key 
Below is explained what means each part of the key. 


° S/E/C/A 
These letters are called 'flags' and they represent the operations the key is able to re- 
alize, as described in the beginning of the chapter. In our example the key can real- 
ize all the four operations, but not all keys can realize them all. 

* 4096R/FBOAFF3F 
4096 is the length of the key in bits, which normally varies between 1024 and 4096. 
R is the type of the key, in this case RSA. FBOAFF3F is the key identifier (ID). 

* 2014-01-08 / 2015-01-08 


Those are the creation date and expiry date (if exists) respectively. They are pre- 
sented in the format YYYY-MM-DD. 


* Joe Bloggs (This is Joe's key) joe.bloggs@example.com 


The key owner's full name, comment and e-mail address. 


¢ E44E 404D A2AE 8FF8 7913 BCIF 1DAC 9405 FBOA FF3F 


This is the key fingerprint. This is a unique hexadecimal number with 40 digits and 
every key has one. Every time you receive a key you have to confirm it with the key's 
owner, because it is the only guarantee you have that the key is in fact of the person 
who claims to be its owner, and was not twisted or modified along the way. 


* Image 


It is possible to add an image to your key, but this is not recommended for three rea- 
sons: it makes your key heavier, some programs have problems to deal with them, 
and it presents a false sense of security. 


All these attributes are present in keys, so you can check them every time you obtain a key, 
as well as others can check them with your key. 
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4.3 - Keys in a keyring (graphical visualization) 


Keys are always stored in key rings., which are managed by GnuPG. You can easily backup 
or export your whole keyring to use it in another machine that you own. Below there are 3 
keys from different owners in a keyring, which were obtained from the owners' respective 
websites. Since the keys are not ours, only their public part are available. 


2048R/4B18732F 
2013-01-12 

EFF Info 

info@eff.org 

F2F2 1BB8 531E 9DC3 0D40 
F68B 11Al1 A9C8 4B18 732F 


4096R/2A8E4C02 
2013-07-20 
Richard Stallman 
rms@gnu.org 

6781 9B34 3B2A B70D ED93 
2087 2C64 64AF 2A8E 4CO02 


SUY eke 


4096R/D61D017A IETF 
2013-02-19 / 2020-02-18 
Encrypted Email (IETF) 
encrypted@ietf.org 

67CF 5A28 OB7D 3E84 3412 
C136 54FA 53C7 D61D 017A 


Figure 2: Public keys in a keyring 


This is how keys would look graphically in our example. All these keys do not have image, 
they were added only to make comprehension easier. 
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4.4 - Keys in a keyring (text visualization) 


Here are the same keys displayed in command line: 


--list-keys --fingerprint 


2048R/4B18732F 2013-01-12 

Key fingerprint = F2F2 1BB8 531E 9DC3 0D40 F68B 11Al A9C8 4B18 732F 
EFF Info <info@eff.org> 

2048R/75DA5789 2013-01-12 


4096R/2A8E4C02 2013-07-20 


Key fingerprint = 6781 9B34 3B2A B70D ED93 2087 2C64 64AF 2A8E 4C02 
Richard Stallman <rms@gnu.org> 
4096R/62853425 2013-07-20 


4096R/D61D017A 2013-02-19 [expires: 2020-02-18] 

Key fingerprint = 67CF 5A28 0B7D 3E84 3412 C136 54FA 53C7 D61D 017A 
Encrypted Email (IETF) <encrypted@ietf.org> 

4096R/D4E938B1 2013-02-19 [expires: 2020-02-18] 
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4.5 - How a key looks like 


A key is just a file that contains all the attributes mentioned above. Below is an example of 
how a key looks like in ASCII-armored format: 


----- BEGIN PGP PUBLIC KEY BLOCK----- 
Version: GnuPG v2.0.19 (GNU/Linux) 


mQINBFLNWKoBEADgHEPghCbz3/hBOsMZUQLERDFgpT1l+m5ZHBk7XzIHxzG+ij rmY 
HGgF4qurzL2RFxj xFHQEVHcAZHxgWnqgQNl+lh1QkVtn34ku904euGneM+s j bEbcc 
S8i7pfBCmj G6dw61xRK64RwKebXYHbmf q4Yx6QVPOHeVs r0Y9pF rAgwTWxywUnQk 
LZKf pIxupQIPiVIUE8xQNBfdJSUiK+I/80Ic9fbml/GF3FEp+4BytWsoNFWc4sek 
9Y3ybZJPMakj /bfde4UCH2p9LcpRM87F34uKIzB66so4sbkqNu7kUabdX+skG5tO 
rOTBoEddHLBXtVXpGO0oGu1gRL8A00CUM519AWukj XyOTPNOHSz2ECsStisFmzBtE 
0+Qo0p41VrwHO9QQK3p7a0G+tVqHnhUr6P9 Ff 3udKbl j WzdXZZnANCU5USPpM10JR 
tPRnOzQmRPucEwUkdcZ3ieINoJ9vIPJU23027WboNUMm4Wy Fwc fawkh7 xwxXDMoynu 
6XIch+10e/EkkSv+/In/HRwxTQhx8RiSQV79HEFSHfwFt8325c23dgZ8UseESM8M 
8KoALt ZANBFamNaV7AI f9Xsob9/iLj 81bU3qTaj 02dsse4WgK+tAzsnGBOsGpNq7 
rq2Qii/oEJq3XgyCOfFK69WFqQ+kduV1sJZxVgUgUj LY F5FQUNXnvdv f6QARAQAB 
tDdkKb2UgQmxvZ2dzIChUaGlzIGlzIEpvZSdzIGtleSkgPGpvZS5ibG9nNZ3NAZXhh 
bXBsZS5j]b20+i1Q1+BBMBAgAoBQJSzcCqAhsDBQkB4TOABgsJCAcDAgYVCAIJCgsE 
FgIDAQIeAQIXgAAKCRAdrJQF+wr/P051D/9mwGEyyFDcJCXXtKjMUK7RMy2K91b1 
J+26qfFUM8Zi7wOVC43p+8143ZHPt6X84FPOXFx31FCpUWpiqwBf yTucxfPnA0JC 
JoWk200GOXJOm905n+t r1HLLE+T19ANnNUC+Z3pvHycfbs+rB+SSw+BjO0YsdG1/0x 
mMOUExWEw+hQaa3/86Y6Tog0gxJssQhxSDBnImvSLDa6NdK/NblLbl5lOm2zkTLxR 
vV5AEJuPeUu7p2C7y49SpRf lSyeFPV5 raC291HqSVagCMZpVVwIdmvzuqlh+fgG73 
AUwRYsilm3i9KVxze8vtEfzze6VuM9iXLuDhkw27N/12YV+VMga20Phu0TtsM169 
7v4jAuxgdZlrwMm0hAOuccpOz4vtMs rkbOUr/ti5GEnGX6bzqvl1i5S1B+Uz04kU1 
7+qpw30Ko fgMRhefAJHMZMzQ98Fe/MxDIIV6XOF rqocTco1+4J4nP/eJ4y+D/rYA 
banOwoVzy7GOxBOTPi0FXbFPYGj 1lvGCd38y2wLj oPDO@Sb18kUKZz1JAjkLIevNTH 
ZFY9vISOdKHz240c3XJ pKxTdY tLFuwy5d4fTj xnfCZV2FPDDQVKPiLM6qVBANUbz 
XpjJiwEWM/7 LOu7CKGmHU1PPI3KnatqAD7Sc2z5qC60GFQ43Cy6QG4Ha05 j B2UbE 
CNRN6aseHeOwt rkCDQRSzcCqARAAr9i f vPQeFOpetw/0/+4x37cKIzCRfTLfrste 
wo0y4WJ j n58IzBysFQ3EX82w4k4Vb9ORROTUNKP+p3J LIQtiltx26o0awJ fQLi8bK 
1g05f+qS1z/cUFT yK8z LH4XZ00TAb77ZNmzFv613dQdud+H3 fbwkUcDJOXBT8yE/ 
bNeIikmF/Zuk9 fWVAQ8vAUr6T j QxCXhfXxl25yz/FM3/d679Ss6itgfEytXCKQug 
BhHOGLKUUZe5sPcGsak4MY62/H73QreEEGXi9CSu6+JKE1p30NkpGsXxiBY9Tod7f 
Wm2Xj nvbHyV+ZbISiEa/c2LGR5a/7p0shxhKeSHN5y6RaPFDsxW5UQ f QuLkkKhg00 
cnNGGyLpZN9fs93ZbQLGLEOU] n6umgU3EWLvHyd90pYh7HOgkZ5KZRnfKXnLiaX+ 
cQA07176AkIJ9404DQ21/UQzZQunmORKT7JRsW1s00LSKR2sRUGdBnnAo4uFMV j +Z 
+yANobyMFBLI5FY/LOOKmtNnOmXLPfTESHp1605 j zOLJ3an7ibh9i0f7KwWHrk9o 
B6bxGU2YW1j fP1rcaFBA/Xpm+mzK84Nshx7XKwyQpyRHhSxXUAhSNkEBnXstd15mE 
ZUDAH43dWikDJ thac2vgoFMOPK/Vi/8cTymLFAHQXOWd jNGaIBmn01ly2XIyqTA7P 
V4gBfXOAEQEAAYKCIQQYAQIADWUCUs 3AqgIbDAUJAeEzgAAKCRAdrJQF+wr/PwLV 
D/ObPEJ+h30uvYaR3j eSYFYPf f LKMoADpWsexG9cW3zKWznywBkGj6CHJIhmZgivn 
+61zgT8WO8elyz667UMnnF LOHWCGQ13NxNzZLCq7wOUZ9Ip7vtD7G986Icy3D8cd 
iVdoAYS4NwBSbxV3kxNO1Y6rlqf4MEfNAVFPXOUURTO9Xkj YOEnITzIvDa68lm7U 
51a90MCZm50eENSWkTgx80YemxlS1NB4tAzZ14q7Tj skwTo2NtJA4z9w+8isI2zy 
dVOIpVxX0ZBdjN1Ru4gsy7P54eE6QXUV118akKpsBx9YWYEw81H8JOXS5RX5qTYcS 
VZz1ukXN58VEq5bP96zpgRRmxSSrsgZlCUov0J70xHNb/OnuJqm/862DsavFzEIF 
0/4cOCAq6aqU4hcMGeHMPWUf qNAJeJ ZDL3WTe4kok73RFTGE2Zg+yvSZEJBVVeP/ 
sGt+pjehxLTn1HbnY9FoiArknFVBCatwXOBmI bkNm4vhwgpuf2UhVT4uaMSj I1tpq 
WOtxP/VDTasG6WKOXI qdZCJ+pCKDIeo4FGb97FXpRX/3jHgcZbWBszpKk5yt5raE 
wa fwqHS j wNbe+ws 7tpv/ADAj cChZx1ToTHRhP4C+3zQbaP9w3EPDpZj rQhcz5ZUB 
bsxVMyVeRuL6BnckGoqsL/ lLEw+qdZPCKsmdwxJ5+3FbbWg== 

=4n8Z 
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This is how a key looks like in ASCII-armored format. If you open any key with a text editor 
you will see a similar result (unless the key is in binary format). 


The term ASCII, when used throughout this guide, simply means text or in text format (ac- 
tually it's more complex than that, you can check this Wikipedia article for more informa- 


tion: https://en.wikipedia.org/wiki/ASCII). 


The key in this example is the same key used in section 7.1. If you copy and save it in a text 
file, you can import it to your keyring as described in chapters 12, 15 and 16. You can also 
check that the fingerprint is the same. However our example key does not have image, the 
image was only added to the figure for illustrative purposes. 


4.6 - Conclusion 

Keys are the basic component of asymmetric. cryptography, also know as public key cryp- 
tography. They store information about the key's owner that allows users to identify the 
owner, as well as other technical aspects regarding its security and capabilities. 

Keys are editable, so some of their attributes can be further changed after creation. To be 


used they must be stored in key rings., which GnuPG creates automatically. They can also 
be transported to other machines or exported as backup copies. 
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CHAPTER 5 


What is GnuPG? 


GnuPG, short of GNU Privacy Guard, is a sofware (computer program) that aims to offer 
privacy and security to digital communications by encrypting their contents. It is often used 
together with e-mail to send and receive messages, but it can also be used to protect infor- 
mation that stay stored locally, such as backup copies. 


GnuPG is a free (libre) alternative to the original PGP software developed by Philip Zim- 
merman in 1991, since PGP was -— and is still not — free (libre). PGP stands for Pretty Good 
Privacy and it was incredibly popular since the beginning. As a consequence other softwares 
started to appear that used the same system. Realizing that a standardized version would 
be beneficial to all, Mr. Zimmerman proposed a standard called OpenPGP, which is an 
open, standardized, patent and royalty-free protocol for PGP. 


GnuPG is compliant with the OpenPGP protocol, which makes it it compatible with other 
alternatives available in the market. However the largest advantage of GnuPG is that it is 
100% free software, which means it respects your freedom, so you are free to: 


Use the program in any way you wish. 
Study how the program works internally, and adapt it to your needs if you wish. 
Distribute original copies of the program to others. 


a ee 


Distribute modified copies of the program to others. 


You can do any of those things without asking permission to anyone or any company. Be- 
sides, GnuPG also has several other advantages: 


It is completely free (as in priceless, or costless). 

It has been in constant development for 15 years. 

It is free from patents or royalties. 

It can be used at home, in business, in governments and in public systems. 


It offers military level cryptography, the highest available today. 


SNS NNN 


It is compatible with most popular operating systems, including Microsoft Windows, 
Apple OS X, Android, iOS, GNU/Linux, BSD, and other *NIX-like distributions. 


GnuPG is one of the most powerful cryptography softwares available in the market today, 
and it is relatively easy for the layperson to obtain, set up and use it. It is also compatible 
with many popular applications such as e-mail clients and chat programs. 
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5.1 - What GnuPG does and does not do 


Although a very powerful software, there are some things that GnuPG cannot do, so to 
avoid misconceptions let's see some of the things GnuPG can and cannot do. 


GNUPG DOES... 


v Encrypt and decrypt your messages 
o Your messages are encrypted, including the attachments, so no one knows their 
contents and what they are about, only the recipient can decrypt them. 


vy Sign your messages 
o Your messages are signed to ensure they were sent from yourself and not twisted 
or modified along the way by an intruder. 


v Prevent others from building a profile of you based on the terms you use 
o Since they are not able to know the contents of your message, they cannot build 
a profile of yourself based on the words you use, which they could use to moni- 
tor you or offer you intrusive advertising. 


GNUPG DOES NOT... 


x Encrypt the subject of the messages 
o There is no standard yet that allows e-mail subject to be encrypted. 


x Prevent others from knowing your location and IP address 
o Your IP address will still show up in the message, which can be used to track 
your location, and eventually track you down. 


x Prevent others from knowing the e-mail header 
o Your e-mail header is a bunch of information related to your machine that goes 
hidden in every e-mail message, such as your IP address, your local time, your 
e-mail client, your operating system, etc. 


x Prevent others from knowing to whom you contact with and how often 
o The recipient of the e-mail message is not hidden, and thus they can know to 
whom you are sending the message. 


x Prevent others from storing your messages 
o They may store your messages for future decryption. E.g.: they cannot decrypt 
the message now, but in the future new technologies or systems may emerge that 
could break today's “unbreakable” cryptography. 


x Prevent others from knowing the size of your messages 
o Messages size often give a clue about what you are sending. Heavier messages al- 
most certainly mean that there are attachments included. 
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5.2 - Additional suggestions 


Here are listed some simple additional suggestions to improve your security online: 


¢ Always use cryptography for all messages, not only for the important ones. 
o Don't use cryptography only for the important messages because it is too obvious 
you are sending something important — instead use it with all messages. 


¢ Use cryptography with all your contacts. 
o Try as much as possible to use cryptography with all your contacts instead of us- 
ing it with just the ones you consider most important. 


* Do not use revealing subject lines 
o There's no point in encrypting your message if the subject line is revealing, such 
as “Pictures of myself naked” or “My credit card number with password” or “My 
house will be empty for two weeks”. Instead be discreet. 


* Use a free/libre e-mail client 
o Although cryptography is supported by many e-mail clients, including proprietary 
ones such as Microsoft Outlook, it is recommended that you use it with a free/li- 
bre e-mail clients such as Mozilla Thunderbird, because due to their open nature 
they are often much more secure. 


¢ Use a strong password 
o The best cryptography system in the world won't help you a bit if you use weak, 
easy-to-break passwords, so always use very strong passwords. 


¢ Use a powerful antivirus and keep your system clean 
o You may use the best cryptography system in the world plus very strong pass- 
words but this is completely unuseful if your system is compromised with virus or 
any other type of malware. So always use original version software and keep 
your system clean and up to date. 


5.3 - Conclusion 


GnuPG is a very powerful software that does a lot, but it's not just installing and it magi- 
cally do everything to secure you. You also have to do your part as well. 
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PART 2 


CONFIGURING 
AND 
USING PROGRAMS 


In this part you will learn: 


> How to install GnuPG ! 
> How to install and configure Mozilla Thunderbird 
> How to install and configure Enigmail ! 
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GnuPG in six easy steps 


Below are listed the six basic steps necessary to the use of e-mail cryptography, which are 
all covered in this part of the manual. When you are finished you will be able to send and 
receive e-mails with maximum of security. 
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INSTALL GNUPG 


GnuPG is the cryptography software used for everything 
here. 


CREATE YOUR KEY PAIR 


A key pair is necessary for you to communicate with 
others, and they with you. 


INSTALL THUNDERBIRD 


GnuPG is the cryptography software used for everything 
here. 


INSTALL ENIGMAIL 


Enigmail is the Thunderbird add-on that is responsible for 
bringing cryptography to e-mail. 


EXCHANGE KEYS 


You send your public key to your contacts and they send 
theirs to you. 


SET RULES 


You set the level of trust you have in your contacts, and 
when your messages should be signed and encrypted. 
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CHAPTER G 
Installation 


The first step to use GnuPG is to install it. GnuPG is distributed completely free of cost, so 
you can easily obtain it online. Here we cover GnuPG installation in the most common op- 
erating systems, Microsoft Windows and *NIX distributions, but it is also available for other 
systems as well, such as Apple OS X. 


6.1 Microsoft Windows 


There is a tool bundle developed for Microsoft Windows called Gpg4win, which includes 
GnuPG, additional software and documentation. 


Fortunately Gpg4win comes with graphical tools and native integration with Windows Ex- 
plorer file manager, making it easier and more intuitive to use. 


1 - Download Ggp4win 


Gpg4win can be downloaded in this website: http://www.gpg4win.org/download.html 


Click on the first button to download the full version, as indicated in Figure 1. 


Gpg4win 2.2.1 (Released: 2013-10-07) 


You can download the full version (including the Gpg4win compendium) of Gpg4win 2.2.1 here: 


Gpg4win 2.2.1 


Size: 29 MByte 


OpenPGP signature (for gpg4win-2.2.1.exe) 
SHA1 checksum (for gpg4win-2.2.1.exe): 6fe64e06950561f2183caace409f42be0a45abdFf 
Changelog 


Figure 3: Gopg4win download button 
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2 - Choose the language 


Choose the language used for setup. 


Installer Language 


Please choose a language For the setup. 
Bitte die Sprache des 
Installations-Yorgangs angeben. 


rich 


Figure 4: Installer language 


3 - Opening screen 


This is just the opening screen. Click Next to continue. 


® Gpg4win Setup 


Welcome to the installation of 
Gpg4win 

Gpg4win is a installer package For Windows For EMail and File 
encryption using the core component GnuPG For Windows. 
Both relevant cryptography standards are supported, 


OpenPGP and S/MIME. Gpg¢win and the software included 
with Gpg4win are Free Software. 


Click Next to continue. 


This is Gpg4win version 2.2.1 
file version 2.2.1,16059 


release date 2013-10-07 


Figure 5: Opening screen 
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4 - License screen 


Here is presented a copy of the license. Click Next to continue. 


® Gpg4win Setup 


\ - License Agreement 
This software is licensed under the terms of the GNU General 
Public License (GPL). 


Press Page Down to see the rest of the agreement. 


spa4win consist of several independent developed packages, available under 
different license conditions. Most of these packages however are available 
under the GNU General Public License (GNU GPL}. Common to all is that they 
are Free to use without restrictions, may be modified and that modifications 
may be distributed. If the source files (i.e. gpg¢win-src-x.y.2,.exe) are 
distributed along with the binaries and the use of the GNU GPL has been 
pointed out, distribution is in in all cases possible, 


What Follows are the terms of the GNU GPL; for a list of individual 
copyright and license notices please see the installed README file. 


In short: You are allowed to run this software For any purpose. You may distribute it as long 
as you give the recipients the same rights you have received. 


Figure 6: License screen 
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5 - Choose components 


Here you can choose the components that will be installed together with GnuPG. Below 
there is a description of each component: 


® Gpg4win Setup 


( \ Choose Components 
Choose which Features of Gog4win you want to install, 


Check the components you want to install and uncheck the components you don’t want to 
install, Click Next to continue, 


Select components to install: ] (Description 
Kleopatra 
[] GPa 
(_] GpgoL 
GpgEX 
[_] Claws-Mail 
Gpg4win Compendium 


Space required: 99.1MB 


Figure 7: Choose components 


GnuPG: The main software of the package, it cannot be deselected. 


Kleopatra: A graphical alternative to GnuPG. It is recommended to install it since it is very 
powerful and simplifies a lot GnuPG usage. 


GPA: Another graphical alternative to GnuPG. Although smaller and faster than Kleopatra, 
it is less powerful and often present many bugs. 


GpgOL: GnuPG extension for Microsoft Outlook. Only install it if you use this software. 
Note that in this tutorial we use Mozilla Thunderbird in our examples, but you are free to 
use other e-mail clients if you want. 


GpgEX: GnuPG extension for Microsoft Explorer. It is recommended to install it. 


Claws-Mail: A lightweight e-mail client. You don't have to install it if you use another 
e-mail client, or if you follow this tutorial since we use Mozilla Thunderbird here. 


Gpg4win Compendium: Gpg4win documentation in English and German. 
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6 - Choose install location 


Here you can choose a different install location if you want. Click Next to continue. 


© Gpg4win Setu 


\ Choose Install Location 
Choose the folder in which to install Gpgtwin. 


Setup will install Gpg4win in the Following folder. To install in a different Folder, click Browse 
and select another folder, Click Next to continue. 


Destination Folder 


c:\Program Files\\GNUGnuPG) 


Space required: 99.1MB 
Space available; 21,.2GB 


Figure 8: Choose install location 


7 - Choose where you want the links to show 


Here you can choose where you want the start links to show. Click Next to continue. 


© Gpg4win Setup 


Install Options 
Start links 


Please select where Gpg¢win shall install links: 


Start Menu 
[| Desktop 
[_] Quick Launch Bar 


(Only programs will be linked into the quick launch bar.) 


Figure 9: Start links 
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8 - Choose the folder name in Start Menu 


Here you can choose the name GnuPG will have in Start Menu. Click Next to continue. 


® Gpg4win Setup 


\ Choose Start Menu Folder 
Choose a Start Menu folder for the Gpg4win shortcuts, 


Select the Start Menu Folder in which you would like to create the program's shortcuts, You 
can also enter a name to create a new Folder, 


Epadwin 


Accessories 

Administrative Tools 

Games 

Startup 

Sun x¥M VirtualBox Guest Additions 
Timeline Maker Professional 

VIP Quality Software 


Figure 10: Start Menu name 


9 - Wait for the installation to finish 


Wait until the installation finishes. 


© Gpg4win Setup 


Installing 
Please wait while Gpg4win is being installed. 


Extract: gpgex.dll 
COCO 


Figure 11: Installation progress 
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10 - Installation complete 


GnuPG is now installed and ready to use. Click on Finish. 


© Gpg4win Setup 


Completing the Gpg4win Setup 
Wizard 


Gpg¢win has been installed on your computer. 


Click Finish to close this wizard, 


Show the README file 


Click here for the project's homepage 


Figure 12: Installation complete 
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6.2 *NIX systems 


In *NIX systems most tasks are done through the CLI (Command Line Interface), also 
known as the Terminal Emulator. If you want to use GnuPG with a graphical interface you 
need to install a separate software. Here we cover how to install both. 


6.2.1 Installing GnuPG 


GnuPG usually comes installed by default in most *NIX distributions. To check if it is in- 
stalled in your system use the commands below: 


if GnuP( 
--version 


# To ch if GnuPG v 
version 


We will install GnuPG version 2.x because this is the most recent GnuPG version, and it is 
the version we use throughout this book, but you can also use version 1.x if you wish, since 
they are compatible with each other. 


Here are the commands to install it in the most common *NIX distributions: 


Arch Linux: 


Debian, Mint, Ubuntu: 


Fedora, CentOs: 


Gentoo, Sabayon: 
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$ sudo urpmi gnupg2 


Mageia: 


FreeBSD, OpenBSD: 


$ sudo pkg_add -r -v gnupg2 


6.2.2 Installing Seahorse 


Seahorse is a graphical program that can be used as an alternative to GnuPG command line 
interface for some functions, such as creating and deleting keys, importing and exporting 
certificates, modifying keys, etc. Seahorse depends on GTK to work properly. 


Arch Linux: 


$ sudo pacman -S seahorse 


Debian, Mint, Ubuntu: 


$ sudo apt-get install seahorse 


Fedora, CentOs: 


$ sudo yum install seahorse 


Gentoo, Sabayon: 


$ sudo emerge seahorse 


Mageia: 


$ sudo urpmi seahorse 


FreeBSD, OpenBSD: 


$ sudo pkg_add -r -v seahorse 
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CHAPTER 7 
Create a key pair 


A key pair is the basic element of public key cryptography and it consists of a private key 
and a public key. They are necessary for you to communicate securely with other users. 
Here we explain how to create a key pair in three different ways: text mode (works in both 
systems) and graphical mode (separate versions for Microsoft Windows and *NIX systems). 
7.1 Text mode 

1 - Start GnuPG key generation wizard 


Type the command below to start the GnuPG key generation wizard. 


$ --gen-key 


2 - Choosing the key type 


The first step is to choose the type of key you want. We will choose the first option which is 
the default option, RSA and RSA. Enter 1 and press &]. 


gpg (GnuPG) 2.0.20; Copyright (C) 2013 Free Software Foundation, Inc. 
This is free software: you are free to change and redistribute it. 
There is NO WARRANTY, to the extent permitted by law. 


select what kind of key you want: 
RSA and RSA (default) 
DSA and Elgamal 
DSA (sign only) 
RSA (sign only) 
Your selection? 


3 - Choosing the key length 


Now you will choose the length of your key. As a general rule, the larger the length of the 
key, the more secure and harder it is to crack it, so we will choose 4096 bits which is the 
maximum allowed. Enter 4096 and press &). 
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RSA keys may be between 1024 and 4096 bits long. 


What keysize do you want? (2048) 
Requested keysize is 4096 bits 


4 - Choosing the expiry of the key 


The key may have an expiry that ranges from days until years, or simply not have any ex- 
piry at all. To create a key with expiry just follow the example below: 


0 The key never expires. 

4 The key expires in 4 days. 
6w The key expires in 6 weeks. 
2m The key expires in 2 months. 
5y The key expires in 5 years. 


You can choose the period that is more adequate to your needs by following this pattern, 
just change the values accordingly. It is always possible to change the values later. 


In our case we will make a key without expiry, so enter 0 (zero) and then press [Y] to con- 
firm. 


Please specify how long the key should be valid. 
= key does not expire 
<n> key expires in n days 
<n>w = key expires in n weeks 


n 
<n>m = key expires in n months 
n 


<n>y = key expires in 
Key is valid for? (0) 
Key does not expire at all 
Is this correct? (y/N) 


years 


5 - Entering personal data of the key 


Here you will enter your data as shown below. They will be used to create your key and 
will be associated with it. The comment is optional. 


If you have more than one e-mail address you can associate them later to your key, instead 


of having to create a new key pair for each e-mail address. When you finish type O (letter 
O) and press to confirm. 
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GnuPG needs to construct a user ID to identify your key. 


Real name: 
Email address: 
Comment: 
You selected this USER-ID: 
"John Doe (John's key) <john.doe@example.org>" 


Change (N)ame, (C)omment, (E)mail or (0)kay/(Q)uit? 


6 - Entering your password 


This is one of the most important steps of the whole process. The strength and security of 
your key are directly related to your password. There is no point in using the best encryp- 
tion system in the world if you use a weak password, so choose a VERY STRONG password! 


Enter your password twice and press &]. Depending on how GnuPG is set up in your sys- 
tem you may have to type your password on the terminal or in a new window. If you type it 
in the terminal it does not show up while you type. 


You need a Passphrase to protect your secret key. 


7 - Generating a new key 


Now that you entered all your data GnuPG will generate a new key. To generate a really se- 
cure key it needs unexpected data chains, and the best way to obtain it is realizing diverse 
activities during this process. 


Try opening and closing some heavy programs, move the mouse cursor a lot, or open a text 
editor and type many random text. 


This process takes about 5 minutes, so have patience. During this time GnuPG may show 
text similar to the image below. 


We need to generate a lot of random bytes. It is a good idea to perform 
some other action (type on the keyboard, move the mouse, utilize the 
disks) during the prime generation; this gives the random number 
generator a better chance to gain enough entropy. 


We need to generate a lot of random bytes. It is a good idea to perform 
some other action (type on the keyboard, move the mouse, utilize the 
disks) during the prime generation; this gives the random number 
generator a better chance to gain enough entropy. 
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8 - Key generated 


Congratulations, you have just created your first key pair! :) 


gpg: key 9CO8F860 marked as ultimately trusted 
public and secret key created and signed. 


gpg: checking the trustdb 
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model 
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, On, Om, Of, lu 
pub 4096R/9CO8F860 2013-12-23 
Key fingerprint = 5259 EB0O 049D 9C06 5D1F 08C7 GA4F 6BF2 9C08 F860 
The | John Doe (John's key) <john.doe@example.org> 
sub 4096R/9677ED61 2013-12-23 


9 - Verify your key 


To verify your key just type the command below: 


ng 


--lList-secret-keys 
4096R/9CO8F860 2013-12-23 


Key fingerprint = 5259 EBQO 049D 9C06 5D1F 08C7 GA4F 6BF2 9C08 F860 
John Doe (John's key) <john.doe@example.org> 
4096R/9677ED61 2013-12-23 


If you did everything correctly you should see a summary of your key on the screen, includ - 
ing the key's fingerprint, which is a unique code that only this key in the world has. When 
you send your public key to other people, the only way they can be certain that the key they 
received is yours and was not twisted along the way is by confirming the key's fingerprint 
with you. 
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7.2 Microsoft Windows 
1 - Open Kleopatra 


Open Kleopatra and click on File > New Certificate, or press 


g Kleopatra 


File Yiew Certificates Tools Settings Window Help 


ff New Certificate... Ctrl+N Redisplay ) Stop Operation | @® Lookup Certificates on Server 
@& Lookup Certificates on Server... Ctrl+ShiFt+I [My Certificates eal 


(Gq) Import Certificates... Ctrl+1 rtificates | All Certificates | 


Export Certficates.. crise EMal | Valid From | valdunti | Details | Key 1D 


Export Secret Keys 


Export Certificates to Server, Ctrl+Shift+E 


- Decrypt/Verify Files... 
“ Sign/Encrypt Files... 


Create Checksum Files... 
Verify Checksum Files... 


© dose Ctrl Ww 


Quit Ctrl+Q 
Figure 13: Create a new certificate 


2 - Choose the first option 


Choose the first option 'Create a personal OpenPGP key pair’. 


g Certificate Creation Wizard 


Choose Certificate Format 
Please choose which type of certificate you want to create. 


© Create a personal OpenPGP key pair 
OpenPGP key pairs are created locally, and certified by your friends and 
acquaintances. There is no central certification authority; instead, every 
individual creates a personal Web of Trust by certifying other users’ key pairs 
with their own certificate, 


© Create a personal X.509 key pair and certification request 
X,509 key pairs are created locally, but certified centrally by a certification 
authority (CA), CAs can certify other CAs, creating a central, hierarchical 
chain of trust, 


< Back | Next > | Cancel | 


Figure 14: Choose the first option 
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3 - Enter basic details of your key 


Here you will enter your basic personal details which will be part of your key and will be 
visible to anyone who has your key. The name and e-mail address are required, while the 
comment is optional. When you are done click on Advanced Settings button. 


g Certificate Creation Wizard 


Enter Details 
Please enter your personal details below. IF you want more control over the certificate 
parameters, click on the Advanced Settings button. 


Name: | John Doe (required) 
EMail: john.doe@example.org (required) 
Comment: | This is my personal key| (optional) 


John Doe (This is my personal key) <john.doe@example.org> 


Advanced Settings... | 


Figure 15: Enter basic details of your key 
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4 - Set advanced settings 

Here you will set the advanced settings of your key. 

Key Material: Select RSA as the key type and set the key length to 4,096 bits. 
Certificate Usage: Check options Signing and Encryption. 

Valid until: You can define any value you want. Uncheck it if you want no validity. 


When you are done click on OK button. You will return to the previous screen. Just click 
Next to proceed. 


g@ Advanced Settings 


Technical Details 


Key Material 
\4 ,096 bits a 
2,048 bits (default) 


J +Elgamal 42,048 bits (default) 


Certificate Usage 
|¥ Signing IV Certification 
|¥ Encryption [Authentication 


[ Valid until: | 2015-12-14 


Figure 16: Advanced settings 
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5 - Review details 


Review all details that will be part of your key. If you would you like to change anything 
just click on the Back button, otherwise click on Create Key button to create your key. 


g Certificate Creation Wizard 


Review Certificate Parameters 
Please review the certificate parameters before proceeding to create the certificate, 


Name: John Doe 

Email Address: john. doe@example.org 
Comment: This is my personal key 
Key Type: RSA 

Key Strength: 4,096 bits 

Certificate Usage: Sign, Encrypt 


< Back | Create Key Cancel | 


Figure 17: Review details 


6 - Choose a password 
This is one of the most important steps of the whole process. The strength and security of 


your key are directly related to your password. There is no point in using the best encryp- 
tion system in the world if you use a weak password, so choose a VERY STRONG password! 


A pinentry 


“| Enter passphrase 


Passphrase  Seeccccosccooes 


Quality: | APRESS a 


Figure 18: Enter password 
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7 - Wait for the key creation 


During the key creation process it is necessary to generate random numbers, so it is impor- 
tant that you do activities that stimulate this process, such as typing on the keyboard, mov- 
ing the mouse, opening and closing programs, etc. 


Kleopatra offers a white space where you can type whatever you want on it to stimulate 
this process. It does not matter what you type because it will not be considered on the key 
creation and will not be part of it. 


@ Certificate Creation Wizard 


Creating Key... 
Your key is being created, 


The process of creating 4 key requires large amounts of random numbers. To Foster this 
process, you can use the entry field below to enter some gibberish, The text itself does not 
matter - only the inter-character timing. You can also move this window around with your 
mouse, or start some disk intensive application. 

ljasldfqowerjoiasnfdoijasdfjhwerhh 

lansFoisajdfnoshrqwnuhisdfas 


kasjfojqwoerquijeroqwerojwehr 


asdfasdfgerwer| 


Cancel | 


Figure 19: Creating your key. Use the field above to enter some random text. 
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8 - Confirmation 
Congratulations, you have just created your first key pair! :) 


A confirmation window will show up showing your key's fingerprint, which is a unique code 
that only this key in the world has. When you send your public key to other people, the 
only way they can be certain that the key they received is yours and was not twisted along 
the way is by confirming the key's fingerprint with you. 


You can choose any of the three options suggested below, or just finish the process. We will 
finish the process, so click on Finish button. 


g Certificate Creation Wizard 


Key Pair Successfully Created 
Your new key pair was created successfully, Please find details on the result and some 
suggested next steps below. 


Result 


Certificate created successfully, 
Fingerprint: 6FBS594D34F96B4EC1FCDBAE? 1559D3423C415DB 


Next Steps — 


Make a Backup OF Your Key Pair... | 
Send Certificate By EMail... | 
Upload Certificate To Directory Service... | 


Figure 20: Confirmation window 


Page 46 of 140 https://goldencontest.wordpress.com 


GnuPG High Level Cryptography ©2014 Golden Keys 


9 - Verify your key 


Now you will notice that your recently created key appears in Kleopatra. 


g Kleopatra 


File View Certificates Tools Settings Window Help 


[sq Export Certificates | ¢ Redisplay ee) Stop Operation | @® Lookup Certificates on Server 


[My Certificates a | 


My Certificates Trusted Certificates | Other Certificates | All Certificates | 


[veld From [valde [_Ostaie [Key _| 


Figure 21: Created key 


Every time you want to check details about your key, or make changes in it, just select your 
key and click with right button of the mouse on top of it and select Properties in the menu. 
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7.3 *NIX systems 
1 - Open Seahorse 


Open Seahorse and click on File > New Certificate, or press 


Passwords and Keys 


Figure 22: Open Seahorse 


2 - Choose PGP Key option 


Cy seahorse - + x 


Select the type of item to create: 
2 Password Keyring 

Used to store application and network passwords 
@ PGP Key 


"Used to encrypt email and files 


.. Private key 
= Used to request a certificate 


~-, Secure Shell Key 


~~ Used to access other computers (eg: via a terminal) 


© Stored Password 
Ge") Safely store a password or secret. 


| X cancel Continue | 


Figure 23: Choose PGP Key 
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3 - Enter basic details of your key 


Here you will enter your basic personal details which will be part of your key and will be 
visible to anyone who has your key. The name and e-mail address are required, while the 
comment is optional. When you are done click on Advanced key options. 


a seahorse — 


Figure 24; Enter basic details 
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4 - Set advanced details 

Here you will set the advanced settings of your key. 

Encryption Type: Select RSA. 

Key Strength (bits): Set the key length to 4096. 

Valid until: You can define any value you want. Uncheck it if you want no expiry. 


When you are done click on Create button to create your key. 


seahorse 


Figure 25: Set advanced options 
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5 - Choose a password 


This is one of the most important steps of the whole process. The strength and security of 
your key are directly related to your password. There is no point in using the best encryp- 
tion system in the world if you use a weak password, so choose a VERY STRONG password! 


a Passphrase for New PGP Key - +x 


jo) Enter the passphrase For your new key twice. 


-.\ PaSSWOF: _ seeeeeeeecceees 
Confirm: 


Figure 26: Enter password 


7 - Wait for the key creation 


During the key creation process it is necessary to generate random numbers, so it is impor- 
tant that you do activities that stimulate this process, such as typing on the keyboard, mov- 
ing the mouse, opening and closing programs, etc. 


a Generating key - + x 


yo) Generating key 

>.\ primegen 

~~ When creating a key we need to generate a lot of 
random data and we need you to help. It's a good 
idea to perform some other action like typing on 
the keyboard, moving the mouse, using applications. 
This gives the system the random data that it needs. 


Figure 27: Key being generated 
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8 - Confirmation 
Congratulations, you have just created your first key pair! :) 


Now you will notice that your recently created key appears in Seahorse. 


Passwords and Keys - +x 


<, Jane Doe Personal PGP key 
-» > jane.doe@example.org ‘Jane's’ 


Figure 28: Your recently created key 


Every time you want to check details about your key, or make changes in it, just select your 
key, right-click it and select Properties in the menu. 
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CHAPTER 8 


Thunderbird and Enigmail 


Mozilla Thunderbird is an e-mail client similar to Microsoft Outlook, and Enigmail is an 
add-on of Thunderbird that brings encryption to it. Both softwares are software libre and 
they are distributed completely free of cost, so you can easily obtain them online. 


8.1. Installation 
The first step to use both programs is to install them. In this section we cover Mozilla Thun- 


derbird installation in Microsoft Windows and *NIX distributions, but it is also available to 
other systems such as Apple OS X. 


8.1.1 - Windows Installation 
1 - Download Thunderbird 


Mozilla Thunderbird can be downloaded from the _ official Mozilla website: 


https://www.mozilla.org/Thunderbird 


Thunderbird 


Free Download 


Figure 29: Thunderbird download 
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2 - Install Thunderbird 


Thunderbird installation is a very straightforward process, as indicated below: 


Open File - Security Warning 


Do you want to run this file? 


Name: Thunderbird Setup 24.2.0.exe 
Publisher: Mozilla Corporation 


Type: Application 
From: C:\Documents and Settings\JohniDesktop 


Always ask before opening this file 


While files from the Internet can be useful, this file type can 
potentially harm your computer. Only run software from publishers 
you trust. What's the risk? 


Figure 30: Security warning 


% Mozilla Thunderbird Setup 


Welcome to the Mozilla Thunderbird 
Setup Wizard 


This wizard will guide you through the installation of Mozilla 
Thunderbird, 


It is recommended that you close all other applications 
before starting Setup, This will make it possible to update 
relevant system Files without having to reboot your 
computer, 


Click Next to continue, 


Figure 31: Welcome screen 
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% Mozilla Thunderbird Setup 


Setup Type 
Choose setup options 


Choose the type of setup you prefer, then click Next, 


©) Standard 
Thunderbird will be installed with the most common options. 


© Custom 
You may choose individual options to be installed. Recommended For experienced users. 


Use Thunderbird as my default mail application 


Figure 32: Setup type 


% Mozilla Thunderbird Setup 


Summary 
Ready to start installing Thunderbird 


Thunderbird will be installed to the Following location: 


C:\Program Files\Mozilla Thunderbird 


Thunderbird will be set as your default mail application. 


Click Install to continue. 


Figure 33: Summary 
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% Mozilla Thunderbird Setup 


Installing 
Please wait while Mozilla Thunderbird is being installed. 


Installing Thunderbird... 


Cancel 


Figure 34; Installation progress 


% Mozilla Thunderbird Setup 


Completing the Mozilla Thunderbird 
Setup Wizard 


Mozilla Thunderbird has been installed on your computer. 


Click Finish to close this wizard, 


Launch Mozilla Thunderbird now 


< Back Cancel 


Figure 35: Installation complete 
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8.1.2 *NIX installation 


Below are the commands for the most common *NIX distributions: 


> 
i } 
2) 
> 
c. 
5 
¢ 
x 


Debian, Mint, Ubuntu: 


install 


| 


Fedora, CentOs: 


install 


| 


Gentoo, Sabayon: 


2 
Hi) 
Co] 
® 
D 


FreeBSD, OpenBSD: 


-r-v 
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8.2. Configuring your e-mail account 


Open Thunderbird and in the Welcome screen click on button Skip and use my existing 
email. 


Welcome to Thunderbird 


Would you like a new email address? 


Your name, or nickname Search 


In partnership with several providers, Thunderbird can offer you a new email account. Just fill in your 
first and last name, or any other words you'd like, in the fields above to get started. 


gandi_.net & Hover.com 


The search terms used are sent to Mozilla (Privacy Policy) and to 3rd party email providers gandi.net 


(Pris erms of Service) and Hover.com (Privacy Policy, Terms of Service) to find available 


Skip this and use my existing email | think I'll configure my account later. 


Figure 36: Welcome screen 
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Enter your name, e-mail address and e-mail password in the fields below. You are configur- 
ing an account to be used with the key pair you created in chapter 6, so use the same e-mail 
address you have created your key for. Check 'Remember password’ if you want that Thun- 
derbird automatically remembers your password every time you open it. 


When you are done click on Continue button. 


Mail Account Setup 


Your name: “John Smith 


Email address: “shnsmith8000@qmx.com | 


Password: eeeeeseeeecsecoces 


Remember password 


Get a new account Continue Cancel 


Figure 37: Enter e-mail information 
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Thunderbird automatically tries to guess the correct configuration for your e-mail account. 
It usually gives you two choices: IMAP and POP3. We recommend that you use IMAP. 


If for any reason Thunderbird cannot set up your account correctly, or you would rather use 
a different configuration, then click on the button Manual config to manually insert the cus- 
tom configuration. In this case you can check the help section of your e-mail provider, they 
usually offer instructions on how to use accounts with other e-mail clients like Thunderbird. 


When you are finished click on Done button. 


Mail Account Setup 


Your name: John Smith | 


Email address: shnsmithB000@gmx.com | 


Password: | eeccccccccccccce 


Remember password 


Configuration found in Mozilla ISP database 


©) IMAP {remote folders) () POP3 (keep mail on your computer) 


Incoming: IMAP, imap.gmx.com, SSL 
Outgoing: SMTP, mail.gmx.com, SSL 


Username: johnsmith8000@gmx.com 


Get a new account Manual config Cancel 


Figure 38: Account configuration 


That's it, your account is now created. Now you will be taken to Thunderbird's main screen 
where your messages will be synchronized with the ones you have in your webmail. If you 
are using IMAP your messages will remain stored in your e-mail provider, so you can still 
access them from other computers or from the web browser. 
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If you wish to have the old menu bar just right-click on menu area in Thunderbird and 
choose Menu bar, as shown in the images below. 


& Inbox 


¥v Mail Toolbar 


Customize... 


CX Quick Filter | 


pt 


& Get Mail + Z Write _ Chat Address Book 


Figure 39: Choose menu bar 


File Edit ‘Yiew Go Message OpenPGP Tools Help 


& Inbox 


>, 


& Get Mail ~ fw Write _ Chat Address Book Tag * Decrypt | QQ Quick Filter 


Figure 40: Thunderbird with menu bar 


That's it, now you have the old menu bar. 
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8.3 Configuring Enigmail 
1 - Open Add-ons 


Click on menu Tools — Add-ons. In *NIX systems this is changed to Edit — Preferences. 


File Edit Yiew Go Message Tools Help 
& Thee Address Book Ctrl+Shift+B 
Saved Files Ctrl+J 
2) cetmal - | {write (=) cl [EEE | Fit: 
Activity Manager — 
=) @ | johnsmith8000@gmx.com Chat status » @ 


(=) Inbox ' : — 
Figure 41: Open Add-ons 


2 - Search for Enigmail 


In the search field on the upper right corner enter Enigmail and press ©]. 


4% Add-ons Manager 
tt - Enigmail 


Name Last Updated Best match + 


Search: My Add-ons @EMETE aes salg 


Enigm ail 1.6 Tuesday, October 22, 2013 * 


OpenPGP message encryption and authentication for Thu... More 


Figure 42: Search for Enigmail 
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3. Install Enigmail 


Click on Install button and wait until the installation finishes. 


z Add-ons Manager 


ME - | Enigmail 


Name Last Updated Best match * 


Search: My Add-ons QEMETE aisle eae 


Enigmail 1.6 Downloading 


Figure 43: Installation progress 


4. Restart Thunderbird 


Click on Restart now button, or close and open Thunderbird again. 


4% Add-ons Manager 


r°7 ’ Enigmail 


Name Last Updated Best match + 


Search: My Add-ons @BEE a ete aaa 


“a 


oe a aaa installed after you restart Reser now a lindo 


Enigm ail 1.6 Monday, December 16, 2013 


Mail OpenPGP message encryption and authentication More 


Figure 44; Restart Thunderbird 
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5. Start the Wizard 


Click on OpenPGP menu and choose Setup Wizard. When the Wizard pops up select the 
first option 'Yes, I would like the Wizard to get me started’ and click on Next. 


OpenPGP Tools Help 


= Inbox 


Preferences 
a Get Mail ~ fw Write (=Jcl Key Management 


Hel 
=|. johnsmithBO00@gmx.com peer 
ie } = Setup Wizard 
(=) Inbox 


About OpenPGP 


[| Drafts 


Figure 45: Start Setup Wizard 


S' OpenPGP Setup Wizard 


Welcome to the OpenPGP Setup Wizard 


This wizard helps you to start using OpenPGP right away. Over the next few screens we'll ask you 
some questions to get everything setup. 


To keep everything simple, we make some assumptions about configuration, These assumptions try to 
provide a high level of security For the average user without creating confusion, OF course, you can 
change all of these settings after you Finish the wizard. You can find out more about the OpenPGP 
features in the Help menu or on the Enigmail website, 

IF you have any trouble using this wizard, please let us know by emailing us. 


This wizard is automatically invoked when you First install Enigmail. You can also launch it manually From 
the OpenPGP menu. 


Thank you For choosing Enigmail OpenPGP! 


Would you like to use the wizard now? 


© No, thanks, I prefer to configure things manually 


Figure 46: Welcome screen 
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6. Choose signing behavior 


It is a good practice to sign all outgoing e-mails, so we will choose this option. 


= OpenPGP Setup Wizard (| 


Signing 
Digitally Sign Your Outgoing Emails 


OpenPGP allows you to digitally sign your emails. This is like the electronic version of signing a letter, 
and it allows people to be sure that an email is really From you, It's good security practice to sign all 
outgoing email. 


To verify your signed email, people need an OpenPGP-aware mail program. IF they don’t have an 
OpenPGP-aware mail program they will be able to read your email, but the signature will be displayed 
as an attachment or as text around the email message. This might annoy some people. You need to 
choose if you want to sign all outgoing email, or iF you want to avoid sending signed email to some 
people. 


© No, I want to create per-recipient rules For emails that need to be signed 


Figure 47: Signing behavior 
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7. Choose encryption behavior 


You can choose between encrypting all outgoing e-mails by default, or creating custom 
rules for each one of your contacts. You should only choose the first option if you have the 
public key of all or almost all your contacts, otherwise choose the second option. 


Here we will choose the second option because we don't have the public keys of our con- 
tacts, and we want to create custom rules for each one of them. 


S OpenPGP Setup Wizard 


Encryption 
Encrypt Your Outgoing Emails 


OpenPGP allows you to encrypt your email messages and any attachments. Encryption is like putting a 
letter in an envelope. It makes things private. It's not just for "secret" messages, but for everything 
that you would not send on a postcard. 


On a technical level, encryption works like a padlock that only the recipient has the key For. Unlike 
signing, to use encryption all the recipients of an email need to use OpenPGP. People need to give you 
their public key before you can send them encrypted email (the public key is the pad lock we were 
talking about). 


Unless most of your communication partners have public keys, you should not enable encryption by 
default, 


Shall your outgoing email be encrypted by default? 


Figure 48: Encryption behavior 
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8. Preferences 


Here you can change advanced settings of encrypting and signing behavior. We will use the 
default configuration, so leave it the way it is and select the second option. 


S' OpenPGP Setup Wizard 


Preferences 
Change Your Email Settings To Make OpenPGP Work More Reliably 


This wizard can change your email settings to make sure there are no problems with signing and 
encrypting email on your machine. These setting changes are mostly technical stuff you will not notice, 
though one important thing is that email will be composed in plain text by default, 


Do you want to change a few default settings to make OpenPGP work better on your machine? 


Figure 49: Advanced settings 
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9. Choosing your private key 


Now you will choose the key that you will use with your e-mails. If you have created your 
key in chapter 6 it should appear here now, so you can choose it. If you have multiple keys, 
select the one you are configuring your account to. 


It is possible to create a key pair through Enigmail instead of using Kleopatra, Seahorse or 
the command line, but we prefer the other methods because Enigmail may sometimes 
present bugs in this process. 


S' OpenPGP Setup Wizard 


Key Selection 
Create 4 Key To Sign And Encrypt Email 


We have detected that you already have an OpenPGP key. You can either use one of your existing 
keys to sign, encrypt and decrypt emails, or you can create a new key pair. 


(®) I want to select one of the keys below For signing and encrypting my email: 


| Account } User ID Key ID Created jas! 
F John Smith <johnsmith8000@qmx. com> Ox5S24BFE93 12/16/2013 


© I want to create a new key pair For signing and encrypting my email 


Figure 50: Choose your key 
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11. Conclusion 


Here will be presented a summary. Click Next button. 


S OpenPGP Setup Wizard 


Summary 
Confirm that the wizard shall now commit these changes 


You are almost complete! If you click on the 'Next' button, the wizard will perform the Following actions: 


—Use the existing OpenPGP key ID 322E79F342FFDBS54 for signing 
— Activate OpenPGP For your email account 

— Sign all emails by default 

—Do not encrypt emails by default 

—Do not adjust any application settings 


Figure 51: Summary 


= OpenPGP Setup Wizard 


Thank you 


OpenPGP is now ready to use. 


Thank you For using Enigmail. 


Figure 52: Conclusion 


That's it, Enigmail is now installed and ready to be used with encrypted e-mails. 
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8.4. Testing messages 
1- Write a message 


Now let's do a test, you will write a message to one of your contacts and send your public 
key to him, and request his public key. Your message will not be encrypted because you do 
not have his public key. Your message will be signed, but he will probably not notice it be- 
cause he may not use GnuPG, neither Thunderbird. 


In Thunderbird go to menu File - New —> Message, or press [N] to write a new mes- 
sage. 


& Write: My GPG Public Key 
File Edit View Insert Format Options OpenPGP Tools Help 


{@, send “— Spelling + G Attach + i OpenPGP + ty S/MIME 


From: “John Smith <johnsmithBO00@gmx.com> jofinawihiSOOIBan> 


To:| | & markmoe2000@yandex.com 


Subject: | My GPG Public Key 


Body Text | | Variable Width Vi\9 ZfRAAA HEM 


Hello there Mark Moe, | am sending you my GPG public key attached, 
please send me yours as well. 


Thank you. 


Figure 53: Composing a new message 
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2 - Attach your public key 


To attach your public key just go to OpenPGP menu and select Attach My Public Key. Ini- 
tially you will notice nothing different on screen, but when you click on Send you will see 
your key showing as an attachment on the right side of the screen. 


To attach another public key, or more than one public key, click on OpenPGP menu and se- 
lect Attach Public Key. This way the attachment board will appear on the right side. 


NOTE: This second option will only be available if Enigmail is set to display advanced con- 
figurations, otherwise you will not be able to access it (as in the image below). To do it, in 
Thunderbird's main window click on OpenPGP menu and select Preferences, and click on 
button Show Advanced Preferences. 


©} Write: My GPG Public Key 

File Edit View Insert Format Options [ie-ises) Tools Help 

sere SF spatig - Gowech - |” iremersage  catvsatee 
From: = John Smith <johnsmithBo00@¢ Use PGP/MIME for This Message 

(To: | | & markmoe2000@yandex.c|” ai Masoseae 

Undo Encryption 


Attach My Public Key 


Subject: | My GPG Public Key 


_ Help 
‘Body Text | “Variable Width v| a RAAAA [(3i5 es 


Hello there Mark Moe, | am sending you my GPG public key attached, 
please send me yours as well. 


Thank you. 


Figure 54: Attaching your public key 
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3 - Send the message 
Just click on the Send button to send the message. 


If the OpenPGP Prompt pops up as in the image below, select last option to use PGP/MIME 
and check the box below to use this method from now on. 


OpenPGP Prompt 


This message contains attachments, How would you like encrypt/sign them? 
© Just encrypt/sign the message text, but not the attachments 


© Encryptjsign each attachment separately and send the message using inline PGP 


©) Encrypt/sign the message as a whole and send it using PGP/MIME 


NOTE: PGP/MIME is only supported by a limited number of mail clients! On Windows only 
Mozilla/Thunderbird, Sylpheed, Pegasus and Mulberry are known to support this standard; on 


Linux/UNIX and Mac 05 X most popular mail clients support it. IF you are unsure, select the second 
option, 


Use the selected method For all Future attachments 


Figure 55: Choose attachment encryption/signing method 


Enter the password of your key if requested. 


A pinentry 


Please enter the passphrase to unlock the secret key For the OpenPGP certificate: 
"John Smith <johnsmith8000@gmx.com>" 

4096-bit RSA key, ID S24BFE93, 

created 2013-12-16, 


Passphrase Cocccccccccoocs| 


Figure 56: Enter password 
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€y Write: My GPG Public Key 


File Edit View Insert Format Options OpenPGP Tools Help 


Send Spelling + Attach + & openrer > (S/MIME ~ |pggiSave + 


1 attachment O bytes 
Ox5S2ABFE93.asc 


Status: Delivering mail... 


Hello there brerrerrec=rn 
please send me yours as well. 


Thank you. 


Delivering mail... 


Figure 57: Sending message 


That's it, your message has been sent. Now your contact must send his public key as well, 
which will be done in next step. 
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8.5 Importing public key 
1 - Verify the answer 


After you have sent your public key to your contact in the previous step, let's consider that 
the person decided to use GnuPG too, so he created a key pair for himself, replied your 
message and attached his public key as well. It would look similar to the image below: 


OpenPGP Tools Help 


ey Get Mail + \f Write = Chat Address Book >) Tag * Rs) Decrypt Q Quick Filter | Search... <Ctrl+kK> 


5 a Boda ashlaatnd iad en cs a8 @ 
(=) Inbox | 


[| Drafts * @ _ Subject , , — Letom . © Date , & 
Sia} Sent @ Re: My GPG public key * Mark Moe * 6:28PM 


Trash 


[) OUTBOX 


{) Spam || OpenPGP Unverified signature; click on ‘Details’ button For more information Details + 


= & Local Folders — 
From Mark Moe.’ Leg Reply (B) Archive % Delete 
|| Subject Re: My GPG public key a 6:28 PM 
To Mei = 


Other Actions * 


Hello John Smith, thank you for your key, mine is attached. 
Have a nice day. 


On 16-12-2013 16:51, John Smith wrote: 


Hello there Mark Moe, I am sending you my GPG public key attached, 
please send mé yours as well. 


Thank you. 


) @1 attachment: OxOAFS3BE1.asc 3.1 KB y 
Unread: Total: 1 


Figure 58: Replied message with sender's public key attached 


Your contact also signed the message with his private key, but since you have not imported 
his public key yet, you see the yellow bar prompting “Unverified signature”. 
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2 - Import the public key 


After receiving the public key attached on the message you have to import it. Right-click on 
the file's name and select Import OpenPGP Key. 


Hello John Smith, thank you for your k 


wrote: 
nding yo 


attached 
please 5 Inport OpenPoP Key 


Decrypt and Open 


a é Decrypt and Save 4s... 
"1 attach Verify signature 
EN 2c SIM 


Figure 59: Importing public key 


A confirmation message will be prompted showing a summary of the imported key. Just 
click OK to proceed. 


OpenPGP Alert 
The key(s) were successfully imported 


gpg: key OAFS3BE1: public key "Mark Moe (Mark's Key) 


<markmoe2000@yandex.com>" imported 
gpg: Total number processed: 1 
gpg: imported: 1 (RSA: 1) 


Figure 60: Confirmation message 


That's it, your key is now imported. 
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Now you will notice that the yellow bar turns blue and it says the signature is good and un- 
trusted (if nothing happened and the bar is still yellow, try clicking on another folder or 
message, and then selecting his message again). 


File Edit View Go Message OpenPGP Tools Help 


& Inbox 


& Get Mail * EA Write S Chat Address Book XS Tag * Ls Decrypt | Q) Quick Filter Search... <Ctrl+K> 


‘Q  QuickFilter; co : g Filter these messages... <Ctrl+Shift+k y | 


= @/ johnsmith8000@gmx.com | 
(2) Inbox 
|| Drafts % & @ Subject © From © Date R 


Sent Re: My GPG public key * Mark Moe 


{i Trash 
[5 OUTBOX 


() Spam E) openpgp UNTRUSTED Good signature from Mark Moe (Mark's Key) <markmoe2000@yandex.com> 
= & tocal Folders iiiaailalh Key ID: OxOAF53BE1 } Signed on: 12/16/2013 6:28 PM 


Subject Re: My GPG public key [eg] 6:28 PM 
To Mew a 


Details + 


Other Actions + 


Hello John Smith, thank you for your key, mine is attached. 

Have a nice day. 

On 16-12-2013 18:51, John Smith wrote: 

Hello there Mark Moe, I am sending you my GPG public key attached, 


please send me yours as well. 


Thank you. 


 @1 attachment: OxOAFS3BE1.asc 3.1 KB , 


Unread: O Totals 1 oF 


Figure 61: Public key has been imported. Yellow bar turned blue. 


It says the signature is good because Thunderbird can now compare the signature in the 
message with the key you have imported, and it is correct, which means that the message is 
really from whom it claims it is (your contact). 


It says it is untrusted because you have not defined the trust level yet, which you will do in 
section 8.6, but before doing it you need to verify the key's fingerprint. 
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3 - Verify the key's fingerprint 


Click on the Details button on the blue bar and select OpenPGP Security Info. 


ds Key) <markmoe2000@yandex.com> Details ~ 


ig Forward OpenPGP Security Info ... 


Copy OpenPGP Security Info 


View Key Properties 
= ~ PG Photo IC 

Sign Sender's Key... 

Set Owner Trust of Sender's Key... 


key, min 


Figure 62: Accessing sender's key info 


It will pop up a window similar to the one below, showing details about his key. 


OpenPGP Alert 
OpenPGP Security Info 


UNTRUSTED Good signature from Mark Moe (Mark's Key) 


<markmoe2000@yandex.com> 
Key ID: OxOAFS3BE1 } Signed on: 12/16/2013 6:28 PM 
Key fingerprint: S4ED 81BE 1D84 ESAF C173 3DC2 EBFE B24B OAF5 3BE1 


Figure 63: Checking sender's key info 


The number highlighted in red is the key fingerprint. You should verify this number with 
your contact. This number is the only guarantee that you have received the correct key, and 
it was not modified along the way by an attacker or an intruder. Both of you should have 
the same number. 


When you send your public key to others (as you did in section 8.4), they should also verify 
your key's fingerprint with you. 
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8.6 Setting trust level 


The trust level is a value you define for each public key you have in your keyring of how 
much you trust the key's owner. For example: if a work colleague sends you his public key 
by e-mail, you verify the key's fingerprint with him and it is correct, then you can set the 
trust level to ultimately. 


However if you obtain someone else's key from a dubious website or key server, and you 
cannot contact the owner to verify the key's fingerprint then you should choose a lower 


trust level for that key. 


The trust level is a local classification and the key's owner will not know the value you have 
assigned to their key. 


Click on Details button on the blue bar and select Set Owner Trust of Sender's Key. 


<markmoe2000@yandex.com> oe ae | 


d] OpenPGP Security Info ... 
posal Copy OpenPGP Security Info 


View Key Properties 


Sign Sender's Key ... 
: Set Owner Trust of Sender's Key... 
mine 


Figure 64: Choose the last option 


Now set the trust level you have on the sender's key. 


OpenPGP - Set Owner Trust 


Key To Trust: | Mark Moe (Mark's Key) <markmoe200... | 


How much do you trust the key? 
© Idon't know 


© Ido NOT trust 
© Ttrust marginally 
© Ltrust Fully 


Figure 65: Set the trust level 
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If you have set the trust level to ultimately, you will notice that the blue bar now becomes 
green and it says trusted. In our example below the bar is expanded. You can expand it by 
clicking on the '+' (plus) sign at the left. 


File Edit Yiev Go Message OpenPGP Tools Help 
= Inbox 


& Get Mail + A Write _ Chat Address Book XS Tag * Rs) Decrypt | QY Quick Filter Search... <Ctrl+K> PP 


=) @ johnsmith8000@gmx.com 


(2) Inbox 


(| Drafts % & @ Subject °° From © Date a 
{iB Sent @ Re: My GPG public key * Mark Moe * 6:28PM 

Trash 
[5 OUTBOX 


Spam S| Good signature From Mark Moe (Mark's Key) <markmoe2000@yandex.com> _ 
as ol nee OpenPSP Key ID: OXOAFSSBE1 / Signed on: 12/16/2013 6:28 PM oe 


Subject Re: My GPG public key eo 6:28 PM 
To Me Lz 


R QuickFilter; 2 @ | Filter these messages... <Ctr-Shift-+K JO 


Other Actions + 
Hello John Smith, thank you for your key, mine is attached. 
Have a nice day. 
On 16-12-2013 16:51, John Smith wrote: 
Hello there Mark Moe, I am sending you my GPG public key attached, 


please send mé yours as well. 


Thank you. 


@1 attachment: OxOAFS3BE1.asc 3.1 KB = 


Unread: 0 Total: 1” a 


Figure 66: Blue bar turned green because trust level was set to ultimately. 
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8.7 Setting rules for your contacts 


Rules are basically a combination of keys, e-mail addresses and actions (encrypting, sign- 
ing, attaching) that you set for your contacts (or recipients). It is through rules that Thun- 
derbird and Enigmail know how to behave with the recipient. 


Enigmail is flexible and allows you to create very customized rules, but for simplicity sake 
all our rules will be the same for every recipient. You can modify them if you want. 


1 - Open the settings window 


Click on the name of your contact and select Create OpenPGP Rule from Address. 
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Good signature from Mark Moe (Mark's Key) <m. 
Key ID: OxOAF53BE1 / Signed on: 12/16/2013 6 


From | bg Reply | 


Subject 


Elo penPGP 


To Edit Contact... 
Compose Message To 


Copy Email Address 
Hellc 


Create Filter From... 


Have Create OpenPGP Rule From Address... 


Figure 67: Open the settings window 
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2 - Select the right key 


An advanced configurations window opens up. It shows your contact's e-mail address on 
top, which is the recipient you are creating a rule for. Ensure the second field is selected 'Is 


exactly’. You can leave all configurations the way they are for the moment. Click on Select 
Keys button. 


OpenPGP - Recipient Settings 


Set OpenPGP Rules for | markmoe2000@yandex.com| Sereda an ie pai 


Apply rule if recipient (Is exactly Y) one of the above addresses 


Action 


© Continue with next rule For the matching address 


© Do not check Further rules for the matching address 


©) Use the following OpenPGP keys: 


_ (none - no encryption) ( | Select Key(s)... 


Defaults for ... 


Signing ‘Yes, if selected in Message Composition 


Encryption ‘Yes, if selected in Message Composition 


PGP/MIME ‘Yes, if selected in Message Composition 
(Note: in case of conflicts, 'Never' overrules Always’) 


Figure 68: Recipient settings 
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A new window pops up showing the public keys you have in your keyring. Choose the con- 
tact's public key you are setting the rule for, and then click OK. 


OpenPGP Key Selection 


Select OpenPGP Key(s) to use for markmoe2000@yandex.com 


JM Account} User ID 
Mark Moe (Mark's Key) <markmoe2000@yandex.com> OAFS3BE1 
John Doe {This is my personal key} <john,.doe@example.org> 23C415DB 
John Smith <johnsmith8000@gmx.com> ultimate S24BFE93 
Max Mustermann <max.mustermann@example.net> - FEO371CD 


Refresh Key List Download missing keys 


Figure 69: List of keys located in your keyring 
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3 - Set default behavior 

Now you can see the field Action shows the key you have chosen in the previous step. 

In the field “Defaults for...” set all fields to Always, as shown in the image below. This 
means that for this recipient you are setting the rule for, all messages will be sent always 


signed, always encrypted, and attachments will always be treated as PGP/MIME. 


When you are done click on OK button. 


OpenPGP - Recipient Settings 


(Separate several email 


Set OpenPGP Rules for | markmoe2000@yandex.com addresses with spaces) 


Apply rule if recipient Isexactly one of the above addresses 


Action 

© Continue with next rule For the matching address 
© Do not check further rules For the matching address 
©) Use the following OpenPGP keys: 


Select Key(s)... 


Defaults for ... 


Signing | ‘Always 


Encryption | Always 


PGP/MIME Always — oe - 
(Note: in case of conflicts, 'Never' overrules Always’) 


Figure 70: Setting default behavior 


Now the rule is set for this recipient. Every time you obtain someone else's public key all 
you have to do is to repeat the process of this section and make the necessary adjustments. 


Although rules can be customized a lot, keep in mind that the current configuration shown 
in this section is one of the safest possible. 
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PART 3 


OTHER RESOURCES 
OF GNUPG 


In this part you will learn: 


> What is a Revocation Certification 

> How to create a Revocation Certificate 

> How to Encrypt and Decrypt Files 

> How to Sign and Verify Files 

> How to Import and Export Certificates 

> What are Key Servers and how to use them 


SS 255.45.5.55. 555555 :55 458 2O8 65542: 542: 55 255 256.45 2658 2628 S5 22522555255 e552 2525 525255 5545562865 225241 
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CHAPTER 9 
Revocation certificate 


A revocation certificate is a certificate to revocate (invalidate) your key and warn others 
that they must not trust in your key anymore. It should only be used if your key gets com- 
promised (e.g.: lost, forgotten, erased, destroyed, robbed or violated). Since you are not 
able to use your key anymore, you have to warn other people about it. 


9.1. How a revocation certificate works 


Below there is an analogy to help you understand the damage that could happen in case 
your key is gets compromised, and why a revocation certificate is necessary: 


Imagine that your wallet has been robbed with all your documents inside it. The robber 
might use your documents to impersonate you, commit crimes, sign documents, etc., all us- 
ing your name, and there is nothing you can do prevent him from doing that. All you can 
do is to go to a police station and make a notification that your documents have been 
robbed. You will then be issued new documents, probably with different numbers, codes or 
dates, and then you will be able to use your new documents normally. 


If anything shows up in your name between the time you were robbed and the time you no- 
tified the police, you will know it was done by the criminals. In other words, you cannot 
prevent the criminals from using your documents, but you can minimize the damage by 
taking these measures. And obviously the faster you notify the police the lesser the damage 
will be. 


A revocation certificate has a similar purpose: if your private key gets compromised and 
you don't have a backup copy of it, you have to revoke it, warn others that your old key is 
no longer valid, generate a new key and give to others your new key, valid from now on. 


You should create a revocation certificate as soon as possible, preferably right after you cre- 
ate your key pair because it is the only guarantee you have against possible damages. 


It is important to note that a revocation certificate is really useful only if you distribute your 


key in a key server, because there is the place where most people will look for your key and 
synchronize it, otherwise you would have to warn one by one of them. 
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9.2. Creating a revocation certificate 


1- Start GnuPG 


$ --output --gen-revoke mykey 


In the above command certrevoc.asc is the name of the file that will contain your revoca- 
tion certificate. Change mykey by the identifier of your key. 


2 - Choosing the revocation reason 


sec 4096R/9CO8F860 2013-12-23 John Doe (John's key) <john.doe@example.org> 


Create a revocation certificate for this key? (y/N) 
Please select the reason for the revocation: 
0 = No reason specified 


Key has been compromised 

Key is superseded 

Key is no longer used 

Cancel 

(Probably you want to select 1 here) 
Your decision? 


The first step to create a revocation certificate is to choose a reason for it. By default GnuPG 
always suggests the second option (number 1), but you can choose between any of them. 
When you are done press 7]. 


3 - Entering a description 


Enter an optional description; end it with an empty line: 
> 
> 


Reason for revocation: Key has been compromised 
I forgot the password 
Is this okay? (y/N) 


Here you can enter a description to complement the revocation reason chosen previously. 
This step is optional. After choosing the reason (or not), finish by leaving a blank line, con- 
firm by entering [y] and press &}. 
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4 - Entering your password 


You need a passphrase to unlock the secret key for 


user: "John Doe (John's key) <john.doe@example.org>" 
4096-bit RSA key, ID 9CO8F860, created 2013-12-23 


Enter your password to finish the process. If you are using the command line then your 
password does not show up while you type. 


5 - Conclusion 


ASCII armored output forced. 
Revocation certificate created. 


Please move it to a medium which you can hide away; if Mallory gets 

access to this certificate he can use it to make your key unusable. 

It is smart to print this certificate and store it away, just in case 

your media become unreadable. But have some caution: The print system of 
your machine might store the data and make it available to others! 


After conclusion, GnuPG shows a message suggesting how to protect your certificate (see 
more instructions below). 


To verify your certificate just type the command below in the terminal (if you are using 
Windows change cat by type): 


BEGIN PGP PUBLIC KEY BLOCK 
Version: GnuPG v2.0.20 (GNU/Linux) 
Comment: A revocation certificate should follow 


iQIOBCABAgAeBQJISuIduFx0CSSBmb3Jnb3QgdGhLIHBhc3N3b3JkAAoJEGpPa/Kc 
CPhgt30P/0YNKJnvA5+zn1vHgE3CamfVoa8UkiYXxcS8wKlaF/ceJYZXSKN/GhYV 
a90Z0Q/vmTyAj 9dxvLHp7+32vtDG7xNHmURp fRqHmG4xafY4FD9ceKpFB3DT4NX9 
CJslx/LESFdb4mV11I0MaSvazm5qLEtwTqFhBj 7AY84tFEkQT70Cax4PgE7iPQef9 
BdH7DmDBCsLkJ8qV6SmWVaEtDhTAOFOWdmnVEDp+gvugj EOGcPQLDPFRASSikL+c 
kNK2E+6kWmtaHvLHpIBxc jWL6zfuppI2+MqR+rfAQLCurelqoY62x176Tk/4tKEC 
vkeCAtSoyNP+LprHadkK916ed01L9ywsEAcmzcRG8f8gjA5bm94B6GbXr9QavkYTRV 
CdTtj 70Y7IOQH3rHJ5E4NL7aZfMU490YAAer/LNlgcfUFSFHeGNSrlf2ivfWTenrB 
LbbkEnQGj 4Ln9tNPNRtoKH606HQPvByPXELCth8Xfv9IG7AIFd1RrSe84hZlGN3V 
xSK74cPxn+B8QxgYtgbR70xnZikMsBLgPaYGAkLUnmf Loy+09rie79vFN81MqipZ 
wRVbu+Ki2mh1qPHdLnGP79rbgTQJIVVDkFCHWHkorFYoCoB4NYIrafnLrb2qwR2C+ 
2kSZE2H4K1ZXBB84t fkvDmTk5hVqrsxDxRRj021uQxskoJ76DFCP 

=R+j7 
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9.3. Storing your certificate 


Your revocation certificate is your only guarantee in case your private key gets compro- 
mised, so it is very important that you protect it carefully. 


One idea might be to print a copy of your certificate, or store it in a CD/DVD-ROM disc or 
USB drive, and store it in a safe or another safe place in your house. 
9.4. Revoking your key 


Revoking a key is an easy process, however it is recommended that you read chapter 17 be- 
fore doing this so you may better understand the implications of using a key server. 


The basic process is to revoke the key locally and then upload it to a key server. 


1 - Import your revocation certificate 


First you import your revocation certificate (generated in step 9.2) into your keyring: 


Now your key is unusable because it has already been revoked. 


2 - Send it to a key server 
Send your revoked key to a key server (change key_ID by your actual key ID): 
$ --keyserver --send-keys 


Now your key is publicly revoked. Next time someone searches for your key or refreshes 
their keys database they will know that your key has been revoked. It is also important to 
generate a new key and publish it so people can still contact you. 


For more information on how to use key servers check out chapter 17. 
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CHAPTER 10 


Encrypting and decrypting 


Encrypting and decrypting files is the main purpose of GnuPG, you can do it for yourself or 
for others. There are two ways to do it: using symmetric and asymmetric. encryption. 


10.1 - Encrypting files 


In GnuPG you can encrypt files for yourself and for others. There are two ways to do this: 
using symmetric encryption and asymmetric encryption. For more information about these 
methods check out chapter 3. 


10.1.1 - Through asymmetric encryption 


This is the most common method of encrypting files for others. You need the other person's 
public key to do it. You can also use it to encrypt files for yourself. 


Syntax: 


$ --encrypt --recipient 


The recipient's ID can be any identifier of the key, such as the ID, fingerprint, e-mail ad- 
dress or name. It is a good practice to enclose it in single quotation mark. 


Usage example #1: 


CLI 
encr 


a fi 


=--encrypt --recipient 


Usage example #3: 


a fi 


--encrypt --recipient ' 


In our examples the resulting file is called Document . pdf. gpg. 
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10.1.2 - Through symmetric encryption 


This method is recommended to encrypt files for yourself only, since it uses a single pass- 
word and does not specify a receiver. 


Syntax: 


$ --symmetric 


Usage example: 


In our example the resulting file is called FamilyPictures.zip.gpg. 


10.2 - Decrypting files 


You may need to decrypt files from others or the ones you encrypted yourself. The syntax to 
do it is the same. It is necessary to have the sender's public key to decrypt files. 


Syntax: 


$ --output --decrypt 


The recipient's ID can be any identifier of the key, such as the ID, fingerprint, e-mail ad- 
dress or name. It is a good practice to enclose it in single quotation mark. 


Usage example #1: 


f --decrypt 


In this example the file is output to another file. It is the preferred method to decrypt files. 
In our example the resulting file is called Book.pdf. 


Usage example #2: 


In this example the file is output to the screen. This method should only be used for short 
text files, or when combined with more advanced piping commands. 
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10.3 - Changing the output filename 
By default output files from GnuPG are named according to the original file, adding the ad- 


equate extension. For example: 


file.txt > file.txt.gpg (binaries) 
file.txt > file.txt.asc (encoded text) 
file.txt - file.txt.sig (signatures) 


You can easily change this behavior and choose the name you desire for the output file, as 
indicated in the examples below: 


Syntax: 


--output --encrypt --recipient 


The recipient's ID can be any identifier of the key, such as the ID, fingerprint, e-mail ad- 
dress or name. It is a good practice to enclose it in single quotation mark. 


Usage example #1: 


In this example the file Message. txt after being encrypted will be named MSG. gpg. 


The output filename change also work with other GnuPG operations, such as signing, which 
is covered in the next chapter but can be seen in the example below: 


Usage example #2: 


ing a f ts output | + 


--output --detach-si 


In this example it is generated a detached signature of the file Message.txt which is called 
SignedMessage. sig. 
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10.4 - Choosing between multiple keys 
If you have multiple private keys in your keyring you will have to choose between them de- 
pending on the operation and the recipient you are working with, otherwise GnuPG will 


use the key that is set as default. 


To choose a key between multiple private keys use the option --local-user after the de- 
sired operation, as shown in the examples below: 


--local-user --recipient 


--Sign --local-user 


a 


local-user --recipient 


--Sign --local-user 


As you could notice, this step also works with other operations such as signing, covered in 
the next chapter. 
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CHAPTER 11 


Signing and Verifying Files 


A digital signature has two purposes: to ensure the authenticity of the sender (and not 
someone impersonating him/her), and to ensure that the information is original and was 
not twisted along the way. In a way it is similar to a physical signature in a cheque or in a 
contract, but despite marking the sender's identity, it also marks the time the information 
was signed, thus offering double security. 


As a good practice you should sign files every time you encrypt them. 


11.1 - Making signatures 


There are three ways to make signature with GnuPG: generating an unreadable signed file, 
generating a readable signature, and generating a detached signature. Each one has differ- 
ent uses and purposes: 


11.1.1 - Binary signature (unreadable) 


This method generates a new file in binary format containing the original file (now com- 
pressed) plus the signature. This method is recommended to be used with non-text files. 


Usage example #1: 


A file named file.txt.gpg is generated. 


Usage example #2: 


A file named file.txt.asc is generated. 


11.1.2 - Clear signature 


This method generates a new file in text format containing the original file plus the clear 
signature in the end. This method is recommended to be used with e-mail messages, online 
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forum posts and discussion lists, since it does not compress or modify the original file, only 
the signature is added in the end. 


A file named file.txt.asc is generated, containing the original file plus the signature. 


11.1.3 - Detached signature 


This method generates a new file containing the signature only. This method is recom- 
mended to be used when the original file may be distributed through several different 
ways, such as for download on different websites, since the signature may be obtained 
apart. 


Usage example #1: 


A file named file.txt.sig is generated containing the signture only. 


Usage example #2: 


A file named file.txt.asc is generated containing the signature only. 


11.2 - Verifying signatures 


This process is used to verify if the signature corresponds to the author of the original file. 
It can be done either for attached or detached signatures. 


Usage example #1: 


This example is used to verify binary and clear signatures. 
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Usage example #2: 


This example is used to verify detached signatures. 


11.3 - Extracting files from signed files 
After you verify the file's signature you may want to extract the original 
When you obtain a signed file and verify its signature you may want to extract the original 


file from it. Another reason for that is that signed files are often given encrypted. You can 
extract it using the - -decrypt command, as shown below: 


Syntax: 


$ --output --decrypt 


Example: 


$ --output --decrypt 
This way the file will be extracted to a file named file. txt. 


11.4 - Choosing between multiple keys 


Check out chapter 10.4 for more information on this. 
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CHAPTER 12 
Importing and Exporting 
Certificates 


To export a certificate means to generate a copy of a certificate located in your keyring to a 
file where it could then be moved or sent to others. To import a certificate means to insert a 
certificate from a file or from the internet into your keyring where it can then be used. 


To sign, verify, encrypt, decrypt and certify, you often need to import others' certificates, 
and export yours to them. 
12.1 - Exporting certificates 


12.1.1 - Exporting your public key 


The public key is the key you make available for others to communicate with you. It is only 
through this key that others can contact you privately. 


As it is located in your keyring, you first need to export it to a file, and then make this file 
available to others. To export your public key use the command below: 


Syntax: 


--export --armor --output 


Example: 


--export --armor --output 


Your public key has now been exported to the file mykey.asc. 


You can give this file to other people by any means you wish: through CD/DVD-ROM disc, 
USB drive, send by e-mail, you can publish it in a key server in the internet or make it avail- 
able for download in your website, blog or social network. 
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12.1.2 - Exporting your private key 


The private key is your unique, personal and untransferable key, so you must never give it 
or send it to anyone. Ideally you should only export your private key to make a backup 
copy or to use it in another computer that you own. 


To export your private key use the command below: 


--export-secret-keys --armor --output 


Your key has now been exported to file mykey.asc 


12.1.3 - Exporting your whole keyring 


Normally your whole keyring would only be exported to transfer it to another machine or 
to do a backup copy. We will present you two different ways to do it: 


Using a single file 


This way you will first export your public keys to a file and then export the private keys to 
the same file by appending to it. 


--export --armor > 


--export-secret-keys --armor >> 


Your keyring has now been exported to file keyring.asc. 


Using two files 


This way you will export your keyring to two different files, one containing the public keys 
and the other containing the private keys. It is recommended that you do it this way. 


--export --armor --output 


--export-secret-keys --armor --output 


Your keyring has now been exported to files pub_keyring.asc and sec _keyring.asc. Now 
when you want to import your keyring first import pub _keyring.asc and then 
sec _keyring.asc. 
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12.2 - Importing keys and certificates 


12.2.1 - Importing certificates from a file 


To import public keys, private keys, whole key rings. or certificates of any kind use the com- 
mand below: 


Now your certificate is imported and ready to be used. 


12.2.2 - Importing certificates from key servers 


Check out chapter 17 for more information on this. 
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CHAPTER 13 


Encrypting and Signing Files 


A digital signature has two purposes: to ensure that who sent the information is really who 
he claims to be (and not someone impersonating him), and to guarantee that the informa- 
tion is original and was not modified along the way. 


In a way it is similar to a physical signature in a cheque or in a contract, but it also stamps 
the time the signature was made, thus offering double security for the receiver. 


Digital signatures are often used together with encryption. 


1. Choosing the file 
Right-click on the file and choose Sign and encrypt, as shown in Figure 1. 


It is also possible to realize the same process through Kleopatra's main window by clicking 
on menu File > Sign/Encrypt files. 


he_Earth_seen_from_Apollo... 
x S000 x 3002 
PEG Image 


Preview 
Edit 
Print 


Sign and encrypt 


@ More GpgEX options > 
Open With > 
Send To > 


Cut 
Copy 


Create Shortcut 
Delete 
Rename 


Properties 


Figure 71: Choose Sign and encrypt 
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2. Choosing actions 


You have the option to Sign, to Encrypt or to do both actions. It is a good practice to always 
encrypt and sign, so we will do both. Choose Sign and Encrypt (OpenPGP only). 


If you want to send the file by e-mail, or you would like to have it available in pure text, 
choose the option Text output (ASCII armor). 


You can also change other options if you want, but we will leave them as default. 


g Sign/Encrypt Files 


What do you want to do? 
Please select here whether you want to sign or encrypt files. 


Selected File: 


*C:/Documents and Settings/John/My Documents/The_Earth_seen_from_Apollo_17.jpq 
[ Archive Files with: TAR (PGP®-compatible} 


Archive name (OpenPGP): finjmy Documents/The_Earth_seen_from_Apollo_17.jpq.tar a 


Archive name (S/MIME): fimy Documents/The_Earth_seen_from_Apollo_17, jpa.tar.az DI 


(@ Sign and Encrypt (OpenPGP only} 


© Encrypt 
© Sian 
[ Text output (4S5CII armor) 


[~ Remove unencrypted original file when done 


< Back | [next> | Cancel | 


Figure 72: Choosing the actions 
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3. Choosing the receiver(s) 


In the above field choose the person to whom you are sending the file by clicking on the 
person's name, and then click on Add button. The person's name and address will be shown 
on the field below which is the field of the receivers. 


g Sign/Encrypt Files 


For whom do you want to encrypt? 
Please select for whom you want the files to be encrypted. Do not forget to pick one of 
your own certificates, 


Find: jal Certificates ¥ 
ame | eal | Valid From 


Max Mustermann max. mustermann@example.net 2013-12-14 
John Doe (This is my personal key) john.doe@example.org 2013-12-14 


<pak || vet> ] cancel | 


Figure 73: Choosing the recipient(s) 
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You can choose as many recipients as you want, including yourself. In our example we 
chose only Max Mustermann, as shown in Figure 4. If you want to remove a person from 
the receiver's field just select the person and click on the Remove button. 


When you are done click on the Next button. 


g Sign/Encrypt Files 


For whom do you want to encrypt? 
Please select for whom you want the Files to be encrypted. Do not Forget to pick one of 


your own certificates, 


Find: jal Certificates Y 


Valid From 


Max Mustermann max. mustermann@example.net 2013-12-14 
John Doe (This is my personal key) john.doe@example.org 2013-12-14 


fe 


Figure 74: List of persons chosen 
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4. Warning 

If you did not add yourself to the receiver's field, Kleopatra will issue a warning informing 
you that you will not be able to decrypt the file you are sending to another person. It is of - 
ten a good practice to add yourself too, so you can go back and add yourself if you want. 
However if you keep a copy of the original file, or you do not mind not being able to de- 
crypt it, you may click on Continue button to proceed. and/or check Do not ask again so 


Kleopatra will not issue this warning again in future. 


We will click on Continue button. 


g Encrypt-lo-Self Warning - Kleopatra 


; None of the recipients you are encrypting to seems to be your own. 


This means that you will not be able to decrypt the data anymore, once encrypted. 


Do you want to continue, or cancel to change the recipient selection? 


!~ Do not ask again 


Figure 75: Warning message 
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5. Choosing the private key 


Now you have to choose which private key you want to use to encrypt and/or sign the file. 
If you have more than one key — or intend to have more than one key in the future — you 
may just choose the one you want to use now and leave the check box unchecked. 


However if you only use a single key you may choose it and check the check box below so 
Kleopatra will not prompt you about it anymore. 


When you are done click on Sign & Encrypt button. 


g Sign/Encrypt Files 


Who do you want to sign as? 
Please choose an identity with which to sign the data. 


IV Sign with OpenPGP 
T Sign with S/MIME 
OpenPGP Signing Certificate: 


[ohn Doe (This is my personal key) <john.doe@example.org> (23C415DB) = 


< Back | Sign & Encrypt Cancel | 


Figure 76: Choosing the private key you want to use 
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6. Password 


Enter your private key password if requested. 


i pinentry. 


Please enter the passphrase to unlock the secret key For the OpenPGP certificate: 
"John Doe {This is my personal key) <john.doe@example.org>" 

4096-bit RSA key, ID 23C415DB, 

created 2013-12-14. 


Passphrase eeccccccecccces 


Figure 77: Enter password 


7. Wait for the operation to finish 


Wait for the signing and/or encryption operation to finish. 


g@ Sign/Encrypt Files 


Results 
Status and progress of the crypto operations is shown here. 


OpenPGP:; The_Earth_seen_from_Apollo_17.jpg 


|¥V Keep open after operation completed 


< Back | Finish | 


Figure 78: Operation progress 
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7. Conclusion 


After the operation is finished, it will be created an encrypted file in the same folder of the 
original file, or in a different place if you have chosen one. 


Just click on the Finish button or close the window. 


g Sign/Encrypt Files 


Results 
Status and progress of the crypto operations is shown here, 


OpenPGP: All operations completed. 


< Back | Cancel | 


Figure 79: Conclusion 
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CHAPTER 14 


Decrypting and Verifying 


To decrypt a file you must have the sender's public key in your keyring, and to verify the 
signature of a file you must have the original file and/or the signature. 


1. Choose the file 


Right-click on the file and choose Decrypt and verify, as shown in Figure 1. 


he Earth seen_from_Apollo.., 
GPG File 
6,341 KB 


Decrypt and verify 
i More GpgEX options =F 


Send To r 


uk 
Copy 
Create Shortcut 


Delete 
Rename 


Properties 


Figure 80: Choose Decrypt and verify 
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2. Perform the action 


If you are verifying a file with a detached signature, check the checkmark 'Input file is a de- 
tached signature’ and click on the folder icon button to choose the detached signature file. 


When you are ready to decrypt and/or verify the file click on Decrypt/Verify button. 


g@ Decrypt/Verify Files 


Choose operations to be performed 
Here you can check and, if needed, override the operations Kleopatra detected For the input given. 


Input file:  C:/Documents and Settings/John/My Documents/Downloads/The_Earth_seen_from_Apollo_17.jpg.qpq 


[Input file is a detached signature 
Signed data; L3| 
[Input file is an archive; unpack with: [Tar (PGP®-compatible} 7 | 


|¥ Create all output files in a single folder 


Output Folder: [C:/Documents and Settings/Johnj/My Documents/Downloads ey 
Back | Decrypt/Verify Cancel | 


Figure 81: Perform the action 
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3 - Enter password 


Enter your key password if requested. 


i pinentry. 


Please enter the passphrase to unlock the secret key for the OpenPGP certificate: 
"John Doe (This is my personal key} <john.doe@example.org>" 

4096-bit RSA key, ID 23C415DB, 

created 2013-12-14, 


Passphrase ecccccccocccces 


Figure 82: Enter password 


4 - Wait for the operation completion 


Wait the operation completion. 


g@ Decrypt/Verify Files 


Operation 1; Decrypting: The_Earth_seen_from_Apollo_17.jpg.gpq... 


IV Keep open after operation completed 


Figure 83: Wait the operation completion 
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5 - Operation completed 


The operation is now completed. If Kleopatra could validate the sender's signature you 
should see a green bar as in Figure 5, otherwise it would show a yellow bar. 


g Decrypt/Verify Files : 
All operations completed. 


PTT TTT te 


|¥ Keep open after operation completed 


Figure 84: Operation completed 
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CHAPTER 15 
Importing and Exporting 
Certificates 


To export a certificate means to generate a copy of a certificate that is in your keyring to a 
file where it could then be moved or sent to others. To import a certificate means to insert a 
certificate from a file into your keyring where it can then be used. 


To sign, verify, encrypt, decrypt and certify, you often need to import others' certificates, 
and export yours to them. 


15.1. Exporting your public key 


The public key is the key you make available for others to communicate with you. It is only 
through this key that others can contact you privately. 


To export your public key open Kleopatra, right-click on your key and select Export Certifi - 


cates, or press (E]: 


g@ Kleopatra 
File Yiew Certificates Tools Settings Window Help 


[axl Import Certificates [gl Export Certificates | e@ Redisplay e) Stop Operation | & Lookup Certificates on Server 


Find: [my Certificates SO | 


2 My Certificates | Trusted Certificates | Other Certificates | All Certificates | 


[vadron | vadur | oes | tor _| 


ext) 2013-12-14 OpenPGP 23C415DB 


Change Owner Trust... 
Trust Root Certificate 


Distrust Root Certificate 


(A) Certify Certificate... 
Change Expiry Date... 
Change Passphrase... 
Add User-ID... 


& Delete Del 


ieee) Export Certificates... Ctrl+E 


(fq Export Secret Keys... 
(2q Export Certificates to Server... Ctrl+Shift +E 


© Certificate Details 


Figure 85: Exporting public key 
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Now choose where you want to save your public key. By default Kleopatra suggests the 
key's fingerprint as a name, but you can change that to any name you want. 


When you are done click on Save button. 


Export Certificates 


Save in: tf My Documents 7) © @& ex Ese 


(Downloads 


my Music 
My Recent (2) my Pictures 
Documents 


(4 


My Documents 


My Computer 


seal File name: 4FS6BAECIFCDBAE 71559D3423C415DB.asciikg 
laces 
Save as type: |OpenPGP Certificates (“asc “gpa “.pap] x Cancel | 
“a 


Figure 86: Choosing export directory 


That's it, now your public key has already been exported to the directory you chose. This 
operation does not show a confirmation message. 
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15.2. Exporting your private key 

The private key is your unique, personal and untransferable key, so you must never give it 
or send it to anyone. Ideally you should only export your private key to make a backup 
copy or to use it in another computer that you own. 


1 - Select the certificate 


Right-click on your key and select Export Secret Keys. 


g Kleopatra E\e\k) 


File View Certificates Tools Settings Window Help 


-_ 
(ag! Import Certificates [ag] Export Certificates | e@ Redisplay ) Stop Operation | && Lookup Certificates on Server 


Find: j [my Certificates = | 


_S| my Certificates | Trusted Certificates | Other Certificates | all Certificates | 


| 
ame | etal | valid From | voidUntil | Details | Key-ID 


John Doe (Thiggs ‘ = 2013-12-14 OpenPGP 23C415DB 
Change Owner Trust... 


Trust Root Certificate 


Distrust Root Certificate 


(sa) Certify Certificate... 
Change Expiry Date... 
Change Passphrase... 
Add User-ID... 


% Delete Del 


(ogy Export Certificates... Ctrl+E 


hee) Export Secret Keys... 


ia Export Certificates to Server... Ctrl+Shift+E 


© Certificate Details 


Figure 87: Exporting private key 


Page 113 of 140 https://goldencontest.wordpress.com 


GnuPG High Level Cryptography ©2014 Golden Keys 


2 - Choose the output location 


In the window below click on the button with the symbol of a folder. 


g@ Export Secret Certificate 


Please select export options for John Doe (This is my personal key} 
<john,doe@example.org> (23C415DB): 


Output file: BI 


[ASCII armor 


Figure 88: Output window 


Choose a place to save your certificate and choose a name for it if you wish. 


Save As 


Save in: Cf My Documents >| fq img EE 


(Downloads 


my music 
My Recent (2) my Pictures 
Documents 


(4 


© 


My Network File name: [MyPivateKey = 


Places 


Save as type: [Secret Key Files{*.gpg *.asc “p12 “pem “pgp] y| Cancel | 


“A 


Figure 89: Choose output location 
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3 - Confirmation 


The window below shows the output location you have chosen to export your certificate. 
Since you are exporting a certificate, it is recommended that you check the ASCII Armor 
checkbox. 


When you are done click on OK button. 


g Export Secret Certificate 


Please select export options for John Doe (This is my personal key) 
<john.doe@example.org> (23C415DB); 


Output file: land Settings/John/My Documents/MyPrivateKey. asc | 


|¥ ASCII armor 


Figure 90: Output window 


g Secret Key Export Finish... 


a) Secret key successfully exported. 


PB OK 


Figure 91: Confirmation message 


That's it, now your certificate is exported to the directory you have chosen. 


Page 115 of 140 https://goldencontest.wordpress.com 


GnuPG High Level Cryptography ©2014 Golden Keys 


15.3 - Importing Certificates 


There are two different ways to import certificates: through the Kleopatra main interface or 
right-clicking on the file directly. 


15.3.1 - Importing through Kleopatra 


Open Kleopatra and click on File > Import Certificates, or press (1), or click on the 
Import Certificates button on the toolbar. 


g Kleopatra 
File View Certificates Tools Settings Window Help 


(a{] New Certificate... Ctrl+N Redisplay ie) Stop Operation | @® Lookup Certificates on Server 


@ Lookup Certificates on Server... Ctrl+Shift+I fal Certificates ai 
ee) Import Certificates... Ctrl+I ertificates All Certificates 


@ Export Certificates... Ctrl+E 


t@ Export Secret Keys... 


2 Export Certificates to Server... Ctrl+Shift-+E 


‘5? Decrypt/Verify Files... 
&* Sign/Encrypt Files... 


Create Checksum Files... 
Verify Checksum Files... 


© Close Ctrl Ww 


Quit Ctrl+Q 
Figure 92: Importing certificates 
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Choose the place where the certificate is located, select it and click on Open button. 


Select Certificate File 


Look in: tf My Documents y| © (& e* Ese 
5 (Downloads 
ie) my Music 


MyRecent 2) My Pictures 


Documents 


My Network File name: |MaxM ustermann.asc v 
Places 


Files of type: Certificates (“asc “cer “cert “crt “der “.pem*. ¥ 


Figure 93: Open the certificate 


A confirmation message will show up informing you that the operation was successful. You 
can now see the certificate in your list. 


g Certificate Import Result - Kleopatra 


Detailed results of importing C:/Documents and Settings/John/My Documents/MaxMustermann.asc: 
1) Total number processed: 1 


Imported; 1 


Figure 94: Confirmation message 
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15.3.2 - Importing through the file manager 
Right-click on the file and select More GpgEX options > Import keys. 


axMustermann, asc 
a 5 Open | 


Decrypt and verify 


> More GpgEX options > Decrypt 
Verify 
Send T 
wishes Decrypt and verify 
Cut Encrypt 
Copy Sign 
Sign and encrypt 


Create Shortcut Import kaye 


ei Create checksums 
ename Yerify checksums 
L Properties Help on GpgEX 


About GpgEX 


Figure 95: Choosing file 


A confirmation message will show up informing you that the operation was successful. You 
can now see the certificate in your list. 


g Certificate Import Result - Kleopatra 


@ Detailed results of importing C:/Documents and Settings/John/My Documents/MaxMustermann.asc: 


Total number processed; 1 
Imported: 1 


Figure 96: Confirmation message 
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CHAPTER 16 
Importing and Exporting 
Certificates 


To export a certificate means to generate a copy of a certificate that is in your keyring to a 
file where it could then be moved or sent to others. To import a certificate means to insert a 
certificate from a file into your keyring where it can then be used. 

To sign, verify, encrypt, decrypt and certify, you often need to import others' certificates, 
and export yours to them. 


1. Exporting your public key 


The public key is the key you make available for others to communicate with you. It is only 
through this key that others can contact you privately. 


To export your public key open Seahorse, select your key and click on menu File — Export. 


Passwords and Keys - +x 


Filter Q 


Jane Doe Personal PGP key 
jane.doe@example.org ‘Jane's’ 


“NJrewr NS nw ys 


(ij OpenSSH keys 


Figure 97: Seahorse Exporting Public Key 
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Now choose the place where you want to save it and choose a name for the file if you wish. 
You can also select Armored PGP keys in the lower right side if you want your key to be ex- 
ported as encoded text. 


When you are finished click on Export button. 


seahorse 


' Documents 


Places § © ‘Name } ~~ » Size ‘Mod C dified ts 


& 
= 


Documents 


Figure 98: Seahorse Saving Exported Public Key 


That's it, now your public key is exported to the directory you chose. This operation does 
not show confirmation message. 
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2. Exporting your private key 
The private key is your unique, personal and untransferable key, so you must never give it 
or send it to anyone. Ideally you should only export your private key to make a backup 


copy or to use it in another computer that you own. 


Right-click on your key and select Properties. 


Passwords and Keys 


Lo Default a= Jane Doe ; 
PGP Keys jane.doe@example.org Jar = Vetete 


GnuPG keys ~ Properties 


Secure Shell 
(i OpenSSH keys 


Figure 99: Access your key's properties 
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In the window that opens it shows a summary of your key. Click on the last tab Details. 


a Jane Doe - +x 


Figure 100: Summary of your key 
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Now you can see the Details tab showing advanced details of your key. Click on the Export 
button to export your private key. 


a Jane Doe —" 


Figure 101: Advanced details of your key 
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Now choose the place where you want to save it and choose a name for the file if you wish. 
Private keys can only be exported as Armored PGP (encoded text). 


When you are finished click on Export button. 


seahorse 


Documents 


Documents 


Figure 102: Choosing saving location 


That's it, now your public key is exported to the directory you chose. 
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3. Importing keys and certificates 


Open Seahorse, click on menu File > Import, or press (1). 


Passwords and Keys 


Filter Q 


~-4 Jane Doe Personal PGP key 
© jane.doe@example.org ‘Jane's’ 


= Import... 


Qult 


“Jiiwr ws nye 


Figure 103: Importing certificates 


Choose the certificate you want to import and click on Open button. 


Q Import Key —- + x 
2) [- [avis 
Places Name y |Size Modified 
QO Search B info-eff-org.txt.key  4.4kB 04:40 
© Recently Used 
lubuntu 
= Desktop 
|_| File System 


| 1.1 GB Encrypted 


(i Music 

(i Pictures 

Videos 

(i Downloads 

+= Allkey files ~ 


_Xcnee 


Figure 104: Choose the certificate 
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Seahorse will show a message informing you that the certificate has not been verified yet. 
You can click in Details if you want to check additional information about the certificate. 


To import the certificate just click on Import button. 


AN seahorse 


Data to be imported: 


EFF Info 
9 => 


Email: info@eff.org 
©@ The information in this key has not yet been verified 


’ Details 


X Cancel Import . 


Figure 105: Certificate to be imported 


Passwords and Keys 


PGP key 


> EFF Info 
inFo@eff.org 


Jane Doe Personal PGP key 


GnuPG keys = 
- - ~~” jane.doe@example.org ‘Jane's’ 


Figure 106: Imported certificate 


That's it, now your certificate is imported and is already located in your keyring. 
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CHAPTER 17 
Key servers 


Key servers are computers that store public keys and serve them to users, allowing them to 
upload, retrieve and revoke keys. There are many key servers available and the basic idea is 
that they all synchronize their databases so they always have the same keys and they are al- 
ways updated, although each key server is free to set its own rules regarding any of the op- 
erations mentioned before. 


17.1 - Why use key servers? 


The biggest advantage of using a key server is that if someone wants your key to contact 
you securely they don't have to request it to you, instead they can simply search for it in a 
key server and download your key. This is very useful if you own a blog or a website, or if 
you often expect strangers to contact you. 


However once a key is uploaded to a key server it is publicly available and cannot be 
deleted, it will supposedly remain there forever. If you don't want to use that key anymore 
all your can do is to revoke it, but even then it will still remain there marked as revoked. 


Also keep in mind that anyone could upload your key without asking your permission. This 
is because key servers are highly unregulated, so anyone can upload anything without veri- 
fication or validation. Consequently there is a a large amount of fake keys stored on them. 


Key servers used to be more popular in the beginning of the 1990s, before the internet be- 
came commercial, because back at that time very few people had internet access and an up- 
dated place where other people's keys could be easily found was very convenient. Today 
most GnuPG users have websites, blogs and/or social networks and they can publish their 
keys in those platforms, which anyone can access directly. 


Nonetheless, key servers are still very popular and most — if not all - OpenPGP implementa- 
tions have support for key servers. 
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17.2 - Using Key Servers via Command Line 


17.2.1 - Searching and Importing keys 


To import a key from a key server you have to search for it using the command below: 


Syntax: 


$ --search-keys KEY_ID 


Below we will search for a key named 'Bill Gates' and then import it into our keyring. 


ching for a key named ‘Bill | 
--search-keys ‘Bill Gates' 
: searching for "Bill Gates" from hkp server keys.gnupg.net 
bill gates (claves) <billgates@gmail.com> 
2048 bit DSA key E2DDE443, created: 2013-10-17 
Bill Gates <bill@gates.net> 
2048 bit RSA key DA6782E0, created: 2013-08-28 (revoked) 
Bill Gates <2648778@gmail . com> 
2048 bit RSA key AC260CFB, created: 2013-08-20 
Bill Gates <billg@microsoft.com> 
2048 bit RSA key D42DA1AA, created: 2013-07-12 
Bill Gates <dedalus@mail.is> 
2048 bit RSA key 500FF66A, created: 2013-07-11 
yoyo50 <bill@gates> 
2048 bit RSA key 20F8D5EF, created: 2013-06-01 
Bill Gates (stupid) <billgates@microsoft.com> 
2048 bit RSA key OBAB5FA5, created: 2011-12-21 
Bill Gates <jerry.sych@gmail. com> 
2048 bit RSA key 61CDB1EB, created: 2011-12-04 
bill gates <jerry.sych@gmail.com> 
2048 bit RSA key 1B385AE3, created: 2011-12-04 
(10) bill gates <jerry.sych@gmail.com> 
2048 bit RSA key A88D8F59, created: 2011-12-03 
(11) Bill Gates <fila.andr@gmail.com> 
2048 bit RSA key 9EA412C7, created: 2011-03-19 
Keys 1-11 of 91 for "Bill Gates". Enter number(s), N)ext, or Q)uit > 


91 keys were found. You can enter the corresponding number of the key you are looking for 
and press or press (N] and see the next 11 results, and so on. You can choose more than 
one key if you want, just separate them with a comma. We will choose the 4th key. 
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requesting key D42DA1AA from hkp server keys.gnupg.net 
: key D42DA1AA: public key "Bill Gates <billg@microsoft.com>" imported 


: Total number processed: 1 
imported: 1 (RSA: 1) 


Now the key is already imported and you can check it with the listing command. 


17.2.2 - Sending your key to a key server 


To publish your key you need to choose the key server you are going to use and use one of 
the commands below: 


er 


end-keys 


Which command you choose depends on which key server you would like to use and how 
GnuPG configurations files are configured in your computer. 


We will choose the second command because it allows us to specify they key server we 
want to use, which in our example is the same used by GnuPG by default: 


$ --keyserver --send-keys 


gpg: sending key A1B2C3D4 to hkp server keys.gnupg.net 


That's it, your key has been sent to the key server and now it is available to the public. 


You can check your key now following the instructions shown in section 17.2.1. 
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17.3.2 - Searching and importing keys 


Enter the name of the key you are looking for in the field indicated in the image below and 
press Search button. You can also customize the following options: 


¢ Index: is cleaner and shows less information of the keys. You have to click on the 
keys links to see additional information. 


¢ Verbose index: shows additional information of the keys in the main window. 
¢ Show OpenPGP “fingerprints” for keys: shows the keys fingerprints. 


* Only return exact matches: tries to return exact matches of the string(s) entered. 


Extracting a OpenPGP Key 
Index: O Verbose Index: © 


Search String: [Bill Gates 


Show OpenPGP "fingerprints" for keys 


L) Only return exact matches 


Reset | Search! | 


Figure 107: Searching key string 
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The key server will show a list of keys containing the strings you entered. Find the correct 
key you want to import. As we did in our previous example, we will choose the 4th key 
again, which is shown in the image below. Click on the link indicated to see the key. 


pub 2048R/D42DA1AA 2013-07-12 
Fingerprint=BE6E AFD4 95CO 6AAE D3B0 5FB7 33C9 C741 D42D A1AA 


uid Bill Gates <billg@microsoft.com> 
Sig sig3 D42DA1AA 2013-07-12 [selfsig] 


sub 2048R/4C4E878C 2013-07-12 
Sig sbind D42DA1AA 2013-07-12 ou 


Figure 108: Search key result 


Now you will see the key on screen. Select it, including the beginning and end tags, copy it 
and save it in a text file. You can use any extension you want, preferably .asc or .key. 


teres BEGIN PGP PUBLIC KEY BLOCK----- 
Version: SKS 1.1.4 
Comment: Hostname: keyserver.ubuntu.com 


mQENBFHgOD4BCADJDolugN5Cmri6okG9IQrixXv3zArySCtxXPa82zdh1lm6qYdEm6m8vvbgnDv 
14PogRTLiy5WqxJSWrWRIN/P603qJ7gSj Tu2Psd8pL6+yww7q2gWfNOPzbyE6e6mU6Q3phe3 
TiRJaZFnHsJd6ikd/1KamcAM/gsKDIg/IvrZW+4AU2DXPg2ZtibxdUmGtIlysJM6dxrccqex 
7UVGqamO8wvNEUf xi704vHaGG+5c/PyM92ZpT YwUZaNExJZjRiccl/tIGucdn215g/Pq1R0d 
Nv9+PjDgYVOsaz9kva7uhQxmKqgMGEnJqNr8hcfkmfGlT0+J FEowAr9FQ+EUwqmI CAVhABEB 
AAGOIEJpbGwgR2FOZXMgPGJpbGxnQG1pY3Jvc29mdC5 j b20+iQE5BBMBAgA j BQJR4Dg+AhsD 
Bws.JCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQM8nHQdQtoarJ7Af/TOMDpDCcYaGOGdyX 
4pcfqBtpGBtTrJpadtdTq/EVE8Y96bbJizYt5 zMwa0 L9OgbAcSXsD7RupDimadJelThdZbZ3 
toIqQdXEzgj3tyXRAQX5mR7Emgk6zgO0VBPDphk9xDHONNz Luyj CVaBvj gYit+KTdc19j r+78m 
/OLXzpDNeaNCA/6000/n/6DI5SYcx1mxeqd4waRGg3bez0u8vDuapzAmj Ana0Tn6yWf89cwv 
30zswSrUnn670FnGCaQv0O2SMKYMcP8zSFUDgdM93xNpa3D+VYVYYU2cxSLBgGFbYt lL4yNxQn 
7MTYvbnj p20Ew+f3165+0q54Nunam56B5D+14LkBDQRR4Dg+AQgAu+6AXMJ FHF x08Bj 6GQNVO 
qxEiaDuzYl6E7RggcWfHW7No6kYGy0+yRwgu+8BKPsPc+VLZ1xweOBqLSm4NDQQINRiLbC7G 
TnKLmZWqSID4IWvhzRX9kDV2KWi3j FPKD8cCB16z4afs fLPBM6KFtW2Tpf IwZ5 j f54RbWozf 
IxPGotzh8NqwKkS f sUq+P+6Y qt fqHIu8QEUhdSNB1IFx3vYQaY4qrx7eX24Z157zSn0G0e+vvq 
cX7ShfI1EVgtJ r4e5q6X38bX02We4eE4 j duduo4wypGXH4eAJUSM/TdJ6MLRpYXit1/TpG33 
e8NP77nExZFSLdpT0+/xtNEDBOLYNQwt 6wARAQABiQE fBBgBAgAJBQJR4Dg+AhsMAAoJEDPJ 
XOHULaGq6GYH/ 11Z8fx5nuoWR/TQQTL/L+0MpS350ZZOAdWn7ScihpRLPoFCzYtDNv7yOwSc 
Zmj /kyokVpYWb5KgaIDRFw8DJ zowBSzG/q8CkVMvZoKVo8TmUh5RCix/LD6FXEk93MfThmel 
ofHYEbcMPhrPcATFOpE7aSC2vSI6HD8/+Gj k63kfUr71WYc7j FEDmAbkirTTtO8IaqgZWTuP 
LAS6/S3tBBv6LVE2QDYcCJ4jwxEgRZX9knXXw6tePwj 8iQatLn7lLACUavgDKN5iqCj qSGU0s 
c2nGpEECquftcyWwHfKKFxvv8A2IPWi0+aAqo+sNB+V0jG1liuuHKNHry f fuOWUsVj zD0= 
=2Ywm 


Now you have a copy of the key. All you have to do is to import the file to your keyring, 
check out chapters 12, 15 and 16 for more information. 
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17.3.1 - Sending your key to a key server 


First you have to access the website of the key server you want to use. Below are listed 
some of the most popular key servers that can be accessed via web interface: 


¢ keys.gnupg.net 
¢ keyserver.ubuntu.com 
* pgp.mit.edu 


1 - Access the website 
Access the website of the key server you have chosen. We are using keyserver.ubuntu.com. 
2 - Paste your key on the field 


Scroll down and paste your key on the field 'submitting a new OpenPGP Key’, as shown be- 
low. You must have already exported your public key to do it. For more information on 
how to do it see chapters 12, 15 and 16. 


Submitting a new OpenPGP Key 


Enter ASCII-armored OpenPGP key here: 


bGxnQG1pY3Jvc29mdC5 j b20+iQE5BBMBAgAj BQIR4Dg+ F 
ICQOLBBY CAWECHgECF4AACgkQM8nHQdQtoarJ7Af/TOMDpDCcYaGOGdyX4pcfqBtp 
EUE8Y96bbJizYt5zMwa01L90gbAcSXsD7RupDimadJelThdZbZ3 
toIqOdXEzgj 3tyXRAQX5mR7EmgK6zgOVBPDphk9xDHONNz Luyj CVaBvj gYi+KT de 
19j r+78m/OLXzpDNeaNCA/6000/n/6DI5SYcx1mxeqd4waRGg3bezOu8vDuapzAm 
jAna0Tn6yWf89cwv30zswSrUnn670FnGCaQvO2SMKYMcP8zSFUDgdM93xNpa3D+V 
YVYYU2cxS LBgGFbYt L4yNxQn7MTYvbnj p20Ew+f3165+0q54Nunam56B5D+14LkB 
DQRR4Dg+AQgAU+6AXMI FHFxO8Bj 6QNVOqxEiaDuzY16E7RggcWFHW7No6kYGyO+y 
Rwgui+8BKPsPc+V1Z1xweOBqL Sm4NDQQINRiLbC7GTnKLmZwWqSID4IWvhzRX9kDV2 
KWi3j fPKD8cCB16z4afsfLPBM6KFtW2TpfIwZ5j f54RbWozfIxPGotzh8NqwkSfs 
lUg+P+6Y qt fqHIu8QEUhdSNB1Fx3vYQaY4qrx7eX24Z157zSn0GOe+vvqcX7ShfI1 
EVgtJr4e5q6X38bX02We4eE4 j duduo4wypGXH4eAJUsM/TdJGMLRpYXitI/TpG33 
/e8NP77nExZFSLdpT0+/xtNEDBOLYNQwt 6wARAQABiQEfBBgBAGAJBQIR4Dg+AhsM 
AAO JEDPJxOHULaGq6GYH/11Z8fx5nuoWR/TOOTL/L+0MpS350ZZ0Adwn7ScihpRL 
PoFCzYtDNv7yOwScZmj /kyokVpYWb5KgaIDRFw8DJzowBSzG/q8CkVMvZoKVo8Tm 
UHSRCix/LD6FxEk93MfThmelofHYEbcMPhrPcATFOpE7aSC2vSI6HD8/+Gj k63kf 
Ur71WYc7j FEDmAbkirTTt08IaqgZWTuPLAS6/S3tBBv6LVE2QDYcCJ4jwxEgRZx9 
knXXw6tePwj8iQatLn7LACUavgDKN5igCj qSGUOsc2nGpEECquftcyWHfKKFxvv8 
A2TPWi0+aAqo+SNB+V0jG1iuuHKNHryffu@WUsVj zD0= 
=2YWm 


_Reset | Submit! | 


Figure 109: Sending public key 
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3 - Send your key 
Click on Submit button. You will see the following confirmation message: 


Key block added to key server database. New public keys added: 
1 key(s) added successfully. 


Now your key has been successfully published. 
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PART 4 


FINAL 
CONSIDERATIONS 


In this part you will learn: 
> List of Commands 
> Bringing more People to GnuPG 


> Conclusion 
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CHAPTER 18 
Commands Reference List 


Here you will find a reference list with the most common GnuPG commands. This is not a 
complete list, but it contains all commands used throughout this manual, including some 
variations not previously used, such as shortening and combining. 


Some commands were broken into two lines to facilitate comprehension. 


Encryption Encrypting in ASCll-armored format with 
recipient: 


Symmetric Encryption _ 
--recipient --encrypt 

Encrypting in binary format (GnuPG will ask you --armor 

to enter a password): -r -e -a 

-r -ea 


--symmetric 
-c 


Decryption 


enc pling HASH am orca toma: Decrypting without output file (GnuPG will show 


--symmetric --armor its content on the screen): 


-C -a 


-Ca --decrypt 


-d 


Asymmetric Encryption --output 


--decrypt 
Encrypting in binary format without recipient 26 ny 


(GnuPG will ask you to provide one): 


--encrypt 


Signing 


Signing in binary format: 


--recipient 


--encrypt 
-r -e 
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Signing in ASCIl-armored format: 


$ gpg2 --Sign --armor file.txt 


$ gpg2 -s -a file.txt 
$ gpg2 -sa file.txt 


Clearsigning: 


$ gpg2 --clearsign file.txt 


Detached signature in binary format: 


$ gpg2 --detach-sign file.zip 


Detached signature in ASCIl-armored format: 


$ gpg2 --armor --detach-sign file.zip 


NOTE: To extract files from binary or clear 
signed files check Decryption section. 


Verifying 


Verifying Signed and Clearsigned files: 


$ gpg2 --decrypt file.gpg2 


Verifying Detached Signatures: 


$ gpg2 --verify file.sig file.txt 


Key Management 


Generate a key pair 


$ gpg2 --gen-key 
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Import keys 


$ gpg2 --import key.asc 


Export Keys 


Export public keys in binary format: 


$ gpg2 --export 


Export public keys in ASCll-armored format: 


$ gpg2 --export 
--armor 
Export private keys in ASCll-armored format: 


$ gpg2 --armor --output mykey.asc 
--export-secret-keys 


Export whole keyring into a single file: 
$ gpg2 --export --armor > keyring.asc 


$ gpg2 --export-secret-keys 
--armor >> keyring.asc 


Export whole keyring into two files: 
$ gpg2 --export --armor 
--output pub_keyring.asc 


$ gpg2 --export-secret-keys --armor 
--output sec_keyring.asc 


Listing keys 
Listing public keys: 


$ gpg2 --list-keys 


$ gpg2 -k 


https://goldencontest.wordpress.com 


GnuPG High Level Cryptography 


Listing private keys: 


--Llist-secret-keys 
-K 


Showing fingerprint 


$ --fingerprint 


NOTE: You can combine the -- fingerprint 
option with the listing commands 


Deleting keys 
Deleting public keys: 


$ --delete-key 


Deleting private keys: 


--delete-secret-and-public-key 


Revoking keys: 


--output 


--gen-revoke 
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CHAPTER 19 
Bringing more people to 
GnuPG 


There's no point in using cryptography to communicate with others in a secure way if they 
don't use it and they don't know how to use it. The reality is that very few people will look 
for and start using cryptography by themselves. They are more likely to do it if they become 
aware of the benefits of this technology and others they know already use it. 


To address this problem we made a short text message so you can send it to other people 
and invite them to know more about e-mail cryptography. 


Hello CONTACT NAME, 
what would you think if all e-mails you've ever sent and received, including the ones you 
deleted years ago, were made public so the entire world could read them? Your personal 


messages, documents, attachments and so on, all available for everybody to see? 


You think this is impossible and it could never happen to you, don't you? Well, keep read - 
ing because I have bad news for you. 


Are you aware that every time you use e-mail you have absolutely no security and privacy? 
Are you aware that all your messages, sent and received, are being stored — possibly forever 
— by the same companies that provide you that nice free e-mail account, such as Gmail, 


Hotmail, Yahoo, and others? 


Do you realize that once those informations are stored they can be leaked at any time, and 
they WILL PROBABLY BE LEAKED? 


Yes, unfortunately this is all true. And do you know why they do it? For two reasons: to sell 
you garbage in form of advertisement and to spy on you. 


Do you like garbage? Of course not! 
Do you like others spying your life? Of course not! 
So what do you do then if you have no choice and you have to use e-mail? 


Fortunately there is a solution, it is called GNU Privacy Guard, or GnuPG. GnuPG is a com- 
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Send this message to all your contacts because most people are unaware of the risks they 
face by not using cryptography in their communications, and they will not take any steps to 
use it until someone they know presents it to them. 
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Conclusion 


By now you are already aware of how cryptography works and the importance of using this 
technology. With GnuPG it is possible for anyone to reach high levels of security and pri- 
vacy relatively easy and practically for free. 


Although more and more people are using cryptography these days, the reality is that for 
most of them it is still a complicated issue and they don't understand the risks they face by 
not using it. Also, most companies still don't use cryptography in their services, including 
services that work with important information such as e-mail. 

We believe that the more people and companies use cryptography, the more they will be 
aware of the dangers of insecure communications, and the more cryptography will become 
a default requirement rather than a mere convenience. 

In this guide we offered some basic advice on computer security so you can start using cryp- 
tography right now and secure your digital communications. This guide is not complete and 
it does not cover all the resources of GnuPG, but in terms of e-mail privacy you are now 
ahead of the majority of computer users, including many so called experts. 

Feel free to send this guide to as many people as you want. 

We hope you have liked this guide! 

If you would like to make any comments please write to goldenkeys@riseup.net. 


Thank You! 


The Golden Keys Team 
https://goldencontest.wordpress.com 
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